[Pki-users] Problem Renewing Server Certificates

Wolf, Brian Brian.Wolf at risd.org
Tue Feb 19 22:39:04 UTC 2019 

Thanks. That got me a little farther:

# pki -U https://mydomain.example.xyz:8373 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
WARNING: UNTRUSTED ISSUER encountered on 'CN=mydomain.example.xyz,OU=my-instance,O=example.xyz' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=my-instance,O=example.xyz'
Import CA certificate (Y/n)?

“CA Signing Certificate” is the base signing certificate (serial number 0x1). Should the WARNING and prompt about importing it (to where?) be expected? I’m running the commands locally on the CA server, FWIW.

Your command example includes “-d ~/.dogtag/subca1”. The man page says –d is for the client security database location. I just have the default nssdb and my instance directory under ~/.dogtag, so I’m guessing the default nssdb is what I need?

# ls -l ~/.dogtag
total 4
drwxr-xr-x. 2 root root   51 Mar 22  2017 nssdb
drwxrwxr-x. 3 root root 4096 Oct  6  2017 my-instance


- Brian

From: Marc Sauton [mailto:msauton at redhat.com]
Sent: Friday, February 15, 2019 7:01 PM
To: Wolf, Brian <Brian.Wolf at risd.org>
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] Problem Renewing Server Certificates

Try adding a -U option with the CA URL, like for example:
pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal
I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection.
A request should be created and in pending state, until an agent approves it.
( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance)
Thanks,
M.

On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <Brian.Wolf at risd.org<mailto:Brian.Wolf at risd.org>> wrote:
I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I’m trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal .  I am getting an error when I try to submit the renewal request. The error seems to be that it can’t find /pki/rest/info.

Installed packages:

pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
nuxwdog-1.0.3-8.el7.x86_64


java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
javapackages-tools-3.4.1-11.el7.noarch
javassist-3.16.1-10.el7.noarch
nuxwdog-client-java-1.0.3-8.el7.x86_64

rest-0.8.1-2.el7.x86_64
resteasy-base-atom-provider-3.0.6-4.el7.noarch
resteasy-base-client-3.0.6-4.el7.noarch
resteasy-base-jackson-provider-3.0.6-4.el7.noarch
resteasy-base-jaxb-provider-3.0.6-4.el7.noarch
resteasy-base-jaxrs-3.0.6-4.el7.noarch
resteasy-base-jaxrs-api-3.0.6-4.el7.noarch



Listing the certificates works. We do not use the default instance of pki-tomcat.

# pki-server cert-find -i <my-instance> ca
-----------------
5 entries matched
-----------------
  Cert ID: ca_signing
  Nickname: caSigningCert … CA
  Token: Internal Key Storage Token
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,…
  Issuer DN: CN=CA Signing Certificate,…
  Not Valid Before: Fri Mar 10 16:38:21 2017
  Not Valid After: Tue Mar 10 16:38:21 2037

  Cert ID: ca_ocsp_signing
  Nickname: ocspSigningCert … CA
  Token: Internal Key Storage Token
  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,…
  Issuer DN: CN=CA Signing Certificate,OU=…
  Not Valid Before: Fri Mar 10 16:38:23 2017
  Not Valid After: Thu Feb 28 16:38:23 2019

[snip]


But the renewal request gives a Not Found error:

# pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
PKIException: Not Found

Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that?


# pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
PKI options: -v
PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Server URI: http://my-server:8370
Client security database: /root/.dogtag/nssdb
Message format: null
Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Initializing security database
Module: ca
Module: cert
Module: request-submit
Retrieving caManualRenewal profile.
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: my-server:8370
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 977
  Date: Fri, 15 Feb 2019 18:53:25 GMT
com.netscape.certsrv.base.PKIException: Not Found
        at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
        at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
        at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)
        at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)
        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
        at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)
        at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190219/854f763c/attachment.htm>

More information about the Pki-users mailing list