[Pki-users] Approve Certificate Request with curl

Mon Feb 8 21:58:56 UTC 2021

Yes, good catch for the cookie header.
Thanks for the feedback to the list.
M.

On Mon, Feb 8, 2021 at 1:17 PM Perig Bouenou <pseite35 at gmail.com> wrote:

> Actually, I forgot to include the session coolie in the requests... Here
> is a script that works:
>
> curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD
> https://dogtag.org:8443/ca/rest/account/login
>
> curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert
> ca_admin_cert.p12:$PWD
> https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format
> - > review.xml
>
> curl -X POST -s -b /tmp/cookie  --cert-type P12 --cert
> ca_admin_cert.p12:$PWD
> https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header
> "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml
> | jq
>
> Hopefully it can be useful for someone else...
>
> Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseite35 at gmail.com> a écrit :
>
>> according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems
>> that  login permission for certServer.ca.account are not set and the
>> session is not created.
>>
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
>> CertUserDBAuthentication: UID caadmin authenticated.
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User
>> ID: caadmin
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
>> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User
>> DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles:
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Certificate Manager Agents
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Security Domain Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise CA Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise KRA Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise OCSP Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise TKS Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise RA Administrators
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
>> Enterprise TPS Administrators
>>
>> Here, Granting login permission for certServer.ca.account  and Creating
>> session are missing...
>>
>>
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
>> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
>> Granting execute permission for certServer.ca.certrequests
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
>> CertRequestService: Validating certificate request 12
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession:
>> reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
>> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
>> Granting approve permission for certServer.ca.request.profile
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor:
>> Nonce: 2691022150130176365
>> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor:
>> Nonce for cert-request 12 does not exist
>>
>> Le lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseite35 at gmail.com> a
>> écrit :
>>
>>> BTW, it is similar issue than raised in
>>> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ...
>>>
>>> Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35 at gmail.com> a
>>> écrit :
>>>
>>>> Hi,
>>>>
>>>> Thanks for the hint. Now, I make with curl the same queries than "a pki
>>>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review
>>>> 8 --action approve"  (I'm using unsecure port to be able to capture
>>>> unencrypted queries to the API):
>>>>
>>>> I start with a login and a review to get a nonce:
>>>>
>>>> curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>>> https://dogtag.org:8443/ca/rest/account/login
>>>> curl -s -H "Accept: application/xml" --cert-type P12 --cert
>>>> ca_admin_cert.p12:<pkc12pwd>
>>>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint
>>>> --format - > 08.xml
>>>>
>>>> The nonce is well generated:
>>>>
>>>> $ grep nonce 08.xml
>>>>   <nonce>-8605088983470492766</nonce>
>>>>
>>>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but
>>>> the request returns the error "Nonce for cert-request 8 does not exist"
>>>>
>>>> curl -X POST  --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header
>>>> "Content-Type:application/xml" -H "Accept: application/json"
>>>> {
>>>>   "Attributes": {
>>>>     "Attribute": []
>>>>   },
>>>>   "ClassName": "com.netscape.certsrv.base.BadRequestException",
>>>>   "Code": 400,
>>>>   "Message": "Nonce for cert-request 8 does not exist"
>>>> }
>>>>
>>>> Something is missing... any ideas?
>>>>
>>>> BR
>>>>
>>>> Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton at redhat.com> a
>>>> écrit :
>>>>
>>>>> or use the pki command like tool with the option
>>>>> ca-cert-request-review :
>>>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request
>>>>> for example:
>>>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C
>>>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011
>>>>> --action approve
>>>>>
>>>>> and after successful authentication, the URI is in the form
>>>>> of /ca/rest/agent/certrequests/xx/approve
>>>>> where xx is the request id
>>>>> it is a HTTPS POST operation
>>>>>
>>>>> Thanks,
>>>>> M.
>>>>>
>>>>>
>>>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello
>>>>>>
>>>>>>
>>>>>> I'm trying to approve certificate requests by using curl as in
>>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API
>>>>>>
>>>>>> I manage to submit certificate requests by posting an xml request
>>>>>> template, I can retrieve the list of requests, the curl command for a
>>>>>> review works fine, but I'm stuck with approval by using curl (I can approve
>>>>>> CSR with pki tool but I still don't know do the same with curl).
>>>>>>
>>>>>> BTW, here is my command for reviewing request:
>>>>>>
>>>>>> curl -ks -X GET  --cert-type P12 --cert ca_admin_cert.p12:<password>
>>>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header
>>>>>> "Content-Type:application/xml" |  xmllint --format -
>>>>>>
>>>>>>
>>>>>> Can someone tell me what's the correct curl command to approve cr? or
>>>>>> is there any example of request approval (with curl) somewhere? or even
>>>>>> something more detailed than
>>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API
>>>>>> ?
>>>>>>
>>>>>> PS: I had a look at the JAVA API (
>>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request)
>>>>>> but it didn't help me so much.
>>>>>>
>>>>>> Regards,
>>>>>> Pier
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20210208/78a529cf/attachment.htm>