Re: [Pki-users] expired pki-server 10.3.3 certificates

Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval. I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like /root/.dogtag/pki-tomcat/ca/password.conf and /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ? The command: pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert- request-review 7 --action approve give the output: IncorrectPasswordException: Incorrect client security database password. From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw(a)redhat.com&gt; Sent: Sunday, November 18, 2018 10:40:01 AM To: Z D; John Magne; pki-users(a)redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates <!-- p {margin-top:0; margin-bottom:0} --> Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards, Dinesh On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: > > Hi John, thanks for the feedback. > > > > > > I used this URL as help to disable self tests. > > > >

> > > > Many of "pki-server" command options are not present for me, since > pki-server version is 10.3, I believe the doc applies for 10.5. > > > > > But I was able to disable self test and PKI is responsive now. > > > > After system time is back, I use 'getcert resubmit' to renew a cert > and seeing this certmonger errors > > > > > > Basically is some : > > > > "ACIError: Insufficient access: Invalid credentials" > > > > > > [journalctl messages] > > > > ------------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: > Traceback (most recent call last):#012 File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > 511, in <module>#012 sys.exit(main())#012 File > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > line 497, in main#012 if ca.is_renewal_master():#012 File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1188, in is_renewal_master#012 self.ldap_connect()#012 > File "/usr/lib/python2.7/site- > packages/ipaserver/install/service.py", > line 177, in ldap_connect#012 conn.do_bind(self.dm_password, > autobind=self.autobind)#012 File "/usr/lib/python2.7/site- > packages/ipapython/ipaldap.py", line 1690, in do_bind#012 > self.do_sasl_gssapi_bind(timeout=timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1668, in do_sasl_gssapi_bind#012 > self.__bind_with_wait(self.gssapi_bind, timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, > in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, > client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", > line 35, in __exit__#012 self.gen.throw(type, value, > traceback)#012 File "/usr/lib/python2.7/site- > packages/ipapython/ipaldap.py", > line 973, in error_handler#012 raise errors.ACIError(info="%s > %s" % (info, desc))#012ACIError: Insufficient access: Invalid > credentials > > > > > > > > > > > [syslog messages] > > ------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: > Traceback (most recent call last): > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > line 511, in <module> > > sys.exit(main()) > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > line 497, in main if ca.is_renewal_master(): > > File "/usr/lib/python2.7/site- > packages/ipaserver/install/cainstance.py", line 1188, in > is_renewal_master > > self.ldap_connect() > > File "/usr/lib/python2.7/site- > packages/ipaserver/install/service.py", line 177, in ldap_connect > > conn.do_bind(self.dm_password, autobind=self.autobind) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1690, in do_bind > > self.do_sasl_gssapi_bind(timeout=timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1668, in do_sasl_gssapi_bind > > self.__bind_with_wait(self.gssapi_bind, timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1650, in __bind_with_wait > > bind_func(*args, **kwargs) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1108, in gssapi_bind > > '', auth_tokens, server_controls, client_controls) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 973, in error_handler > > raise errors.ACIError(info="%s %s" % (info, desc)) > > ACIError: Insufficient access: Invalid credentials > > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 > [8834] Internal error > > > > > Is there any URL that's relevant for pki 10.3 > > > > > > thanks in advance, Zarko > > > > > > > > > > From: John Magne <jmagne(a)redhat.com&gt; > > Sent: Wednesday, November 14, 2018 6:16 PM > > To: Z D > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > Hi: > > > > YOu can try to temporarily disable the self tests for you ca, until > > the new certs are resolved. > > > > Look in the CS.cfg file for the ca in question and there is a big > section > > controlling the self tests. Just experiment with commenting out the > tests and see if that > > > gets you past the hurdle.. > > > > > > > > > > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users