From pascal.jakobi at gmail.com Mon Jun 15 22:53:58 2020 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Tue, 16 Jun 2020 00:53:58 +0200 Subject: [Pki-users] curl / certrequests Message-ID: <1dcff086-0b34-aa46-2bb0-776370161a60@gmail.com> I am trying to retrieve the cert reqs that are in my CA at the moment. The (wrong) curl command I use is below, with its result : curl -v? -E "/tmp/ca_admin.cert" -H "Accept: application/json" http://zbook.home:8080/ca/rest/agent/certrequests *?? Trying 192.168.1.20... * TCP_NODELAY set * Connected to zbook.home (192.168.1.20) port 8080 (#0) > GET /ca/rest/agent/certrequests HTTP/1.1 > Host: zbook.home:8080 > User-Agent: curl/7.61.1 > Accept: application/json > < HTTP/1.1 302 < Cache-Control: private < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Location: https://zbook.home:8443/ca/rest/agent/certrequests < Content-Length: 0 < Date: Mon, 15 Jun 2020 22:50:24 GMT < * Connection #0 to host zbook.home left intact Can someone tell me what's the correct curl command or why don't I receive anything as a result ? Thank you in advance. -- *Pascal Jakobi* -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Mon Jun 15 23:09:14 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Mon, 15 Jun 2020 19:09:14 -0400 Subject: [Pki-users] curl / certrequests In-Reply-To: <1dcff086-0b34-aa46-2bb0-776370161a60@gmail.com> References: <1dcff086-0b34-aa46-2bb0-776370161a60@gmail.com> Message-ID: Hi Pascal, What version of PKI are you using? Can you try replacing your URL with https protocol and corresponding port number? https://zbook.home:8443/ca/rest/agent/certrequests By default, secure port is 8443 Regards, --Dinesh On Mon, Jun 15, 2020 at 6:55 PM Pascal Jakobi wrote: > I am trying to retrieve the cert reqs that are in my CA at the moment. > > The (wrong) curl command I use is below, with its result : > > curl -v -E "/tmp/ca_admin.cert" -H "Accept: application/json" > http://zbook.home:8080/ca/rest/agent/certrequests > * Trying 192.168.1.20... > * TCP_NODELAY set > * Connected to zbook.home (192.168.1.20) port 8080 (#0) > > GET /ca/rest/agent/certrequests HTTP/1.1 > > Host: zbook.home:8080 > > User-Agent: curl/7.61.1 > > Accept: application/json > > > < HTTP/1.1 302 > < Cache-Control: private > < Expires: Thu, 01 Jan 1970 00:00:00 GMT > < Location: https://zbook.home:8443/ca/rest/agent/certrequests > < Content-Length: 0 > < Date: Mon, 15 Jun 2020 22:50:24 GMT > < > * Connection #0 to host zbook.home left intact > > Can someone tell me what's the correct curl command or why don't I receive > anything as a result ? > > > Thank you in advance. > -- > *Pascal Jakobi* > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Tue Jun 16 07:25:57 2020 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Tue, 16 Jun 2020 09:25:57 +0200 Subject: [Pki-users] curl / certrequests In-Reply-To: References: <1dcff086-0b34-aa46-2bb0-776370161a60@gmail.com> Message-ID: rpm -q : pki-base-10.8.3-2.fc31.noarch Working on it now... Thxs Le 16/06/2020 ? 01:09, Dinesh Prasanth Moluguwan Krishnamoorthy a ?crit?: > Hi Pascal, > > What version of PKI are you using? > > Can you try replacing your URL with https protocol and corresponding > port number? https://zbook.home:8443/ca/rest/agent/certrequests > By default, secure port is 8443 > > Regards, > --Dinesh > > On Mon, Jun 15, 2020 at 6:55 PM Pascal Jakobi > wrote: > > I am trying to retrieve the cert reqs that are in my CA at the moment. > > The (wrong) curl command I use is below, with its result : > > curl -v? -E "/tmp/ca_admin.cert" -H "Accept: application/json" > http://zbook.home:8080/ca/rest/agent/certrequests > *?? Trying 192.168.1.20... > * TCP_NODELAY set > * Connected to zbook.home (192.168.1.20) port 8080 (#0) > > GET /ca/rest/agent/certrequests HTTP/1.1 > > Host: zbook.home:8080 > > User-Agent: curl/7.61.1 > > Accept: application/json > > > < HTTP/1.1 302 > < Cache-Control: private > < Expires: Thu, 01 Jan 1970 00:00:00 GMT > < Location: https://zbook.home:8443/ca/rest/agent/certrequests > < Content-Length: 0 > < Date: Mon, 15 Jun 2020 22:50:24 GMT > < > * Connection #0 to host zbook.home left intact > > Can someone tell me what's the correct curl command or why don't I > receive anything as a result ? > > > Thank you in advance. > > -- > *Pascal Jakobi* > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France pascal.jakobi at gmail.com - +33 6 87 47 58 19 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Thu Jun 25 02:52:02 2020 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Wed, 24 Jun 2020 22:52:02 -0400 Subject: [Pki-users] curl / certrequests In-Reply-To: <47c571cb-dc40-dbe0-8350-7a0ff54f515c@gmail.com> References: <1dcff086-0b34-aa46-2bb0-776370161a60@gmail.com> <47c571cb-dc40-dbe0-8350-7a0ff54f515c@gmail.com> Message-ID: (cc'ing pki-users for more wider audience) Try to extract the admin cert and key from PKCS12 to a PEM file: ```` $ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.crt.pem -clcerts -nokeys $ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.key.pem -nocerts -nodes ```` Then, pass both the cert and key as params to curl: $ curl -v -k -E file.crt.pem --key file.key.pem https:// :8443/ca/rest/agent/certrequests Note that I am passing in `-k` since I am using a self-signed CA cert. Ref: https://stackoverflow.com/questions/32253909/curl-with-a-pkcs12-certificate-in-a-bash-script HTH. Regards, --Dinesh On Wed, Jun 17, 2020 at 7:02 AM Pascal Jakobi wrote: > [root at auth pki-tomcat]# curl -v -E "/tmp/ca_admin.cert" -H "Accept: application/json" https://zbook.home:8443/ca/rest/agent/certrequests > * Trying 192.168.1.20:8443... > * TCP_NODELAY set > * Connected to zbook.home (192.168.1.20) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * unable to set private key file: '/tmp/ca_admin.cert' type PEM > * Closing connection 0 > curl: (58) unable to set private key file: '/tmp/ca_admin.cert' type PEM > [root at auth pki-tomcat]# > > > For the time being, I do not understand what's to be done... > > Rgds > > P > Le 16/06/2020 ? 01:09, Dinesh Prasanth Moluguwan Krishnamoorthy a ?crit : > > Hi Pascal, > > What version of PKI are you using? > > Can you try replacing your URL with https protocol and corresponding port > number? https://zbook.home:8443/ca/rest/agent/certrequests > By default, secure port is 8443 > > Regards, > --Dinesh > > On Mon, Jun 15, 2020 at 6:55 PM Pascal Jakobi > wrote: > >> I am trying to retrieve the cert reqs that are in my CA at the moment. >> >> The (wrong) curl command I use is below, with its result : >> >> curl -v -E "/tmp/ca_admin.cert" -H "Accept: application/json" >> http://zbook.home:8080/ca/rest/agent/certrequests >> * Trying 192.168.1.20... >> * TCP_NODELAY set >> * Connected to zbook.home (192.168.1.20) port 8080 (#0) >> > GET /ca/rest/agent/certrequests HTTP/1.1 >> > Host: zbook.home:8080 >> > User-Agent: curl/7.61.1 >> > Accept: application/json >> > >> < HTTP/1.1 302 >> < Cache-Control: private >> < Expires: Thu, 01 Jan 1970 00:00:00 GMT >> < Location: https://zbook.home:8443/ca/rest/agent/certrequests >> < Content-Length: 0 >> < Date: Mon, 15 Jun 2020 22:50:24 GMT >> < >> * Connection #0 to host zbook.home left intact >> >> Can someone tell me what's the correct curl command or why don't I >> receive anything as a result ? >> >> >> Thank you in advance. >> -- >> *Pascal Jakobi* >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -- > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > pascal.jakobi at gmail.com - +33 6 87 47 58 19 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Mon Jun 29 22:29:32 2020 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Tue, 30 Jun 2020 00:29:32 +0200 Subject: [Pki-users] Python programming against dogtag Message-ID: <59573e47-ce73-c258-5948-da51d421ace2@gmail.com> I created the following python test script. import requests import json url = "https://zbook.home:8443/ca/rest/agent/certrequests" headers = {'Accept': 'application/json'} certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem' keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem' r = requests.request("GET", url, headers=headers, verify=False, cert=(certfile,keyfile)) print('DEBUG {}'.format(r.status_code)) print('DEBUG {}'.format(r.json())) It works fine against dogtag. However, it will fail if verify is set to True. So how can I enable SSL verification ? In other terms, what's the equivalent to the "-k" switch from curl ? Thanks in advance -- *Pascal Jakobi* -------------- next part -------------- An HTML attachment was scrubbed... URL: From ascheel at redhat.com Tue Jun 30 13:26:15 2020 From: ascheel at redhat.com (Alex Scheel) Date: Tue, 30 Jun 2020 09:26:15 -0400 (EDT) Subject: [Pki-users] Python programming against dogtag In-Reply-To: <59573e47-ce73-c258-5948-da51d421ace2@gmail.com> References: <59573e47-ce73-c258-5948-da51d421ace2@gmail.com> Message-ID: <982006267.987143.1593523575425.JavaMail.zimbra@redhat.com> Hi Pascal, ----- Original Message ----- > From: "Pascal Jakobi" > To: pki-users at redhat.com > Sent: Monday, June 29, 2020 6:29:32 PM > Subject: [Pki-users] Python programming against dogtag > > I created the following python test script. > > import requests > > import json > > url = "https://zbook.home:8443/ca/rest/agent/certrequests" > > headers = {'Accept': 'application/json'} > > certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem' > > keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem' > > r = requests.request("GET", url, headers=headers, verify=False, > cert=(certfile,keyfile)) > > print('DEBUG {}'.format(r.status_code)) > > print('DEBUG {}'.format(r.json())) > > It works fine against dogtag. However, it will fail if verify is set to > True. > > So how can I enable SSL verification ? In other terms, what's the > equivalent to the "-k" switch from curl ? There's three ways to go about this. verify _technically_ takes a path argument, which allows you to pass a specific certificate/chain, and use that to validate the certificate. Something like: requests.request("GET", url, headers=headers, cert=(certfile, keyfile), verify="/path/to/ca_root.crt") This is documented here: https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification What we use in Dogtag is a custom adapter, using Python's SSL library and its certificate verification/loading mechanisms. This is more involved, but you can see what we do here: https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L59-L86 https://github.com/dogtagpki/pki/blob/master/base/common/python/pki/client.py#L181 This is also documented here: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations https://requests.readthedocs.io/en/master/user/advanced/#transport-adapters Lastly, you could just reuse PKIConnection on Dogtag >= 10.9.0 :-) from pki.client import PKIConnection conn = PKIConnection(protocol='https', hostname='zbook.home', port='8443', cert_paths='/path/to/ca_root.crt') conn.set_authentication_cert(certfile, keyfile) conn.{get,put,post,...} HTH, - Alex > > Thanks in advance > > -- > *Pascal Jakobi* > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users