Actually, I forgot to include the session coolie in the requests... Here is
a script that works:
curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD
curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert
ca_admin_cert.p12:$PWD
--header
"Content-Type:application/xml" -H "Accept: application/json" -d
@review.xml
| jq
Hopefully it can be useful for someone else...
Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseite35(a)gmail.com> a écrit :
according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems
that
login permission for certServer.ca.account are not set and the session is
not created.
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
CertUserDBAuthentication: UID caadmin authenticated.
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User ID:
caadmin
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User DN:
uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles:
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Certificate Manager Agents
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Security Domain Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise CA Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise KRA Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise OCSP Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise TKS Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise RA Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: -
Enterprise TPS Administrators
Here, Granting login permission for certServer.ca.account and Creating
session are missing...
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
Granting execute permission for certServer.ca.certrequests
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO:
CertRequestService: Validating certificate request 12
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession:
reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem:
retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz:
Granting approve permission for certServer.ca.request.profile
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor:
Nonce: 2691022150130176365
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor:
Nonce for cert-request 12 does not exist
Le lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseite35(a)gmail.com> a écrit :
> BTW, it is similar issue than raised in
>
https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ...
>
> Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35(a)gmail.com> a
> écrit :
>
>> Hi,
>>
>> Thanks for the hint. Now, I make with curl the same queries than "a pki
>> -U
http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review
>> 8 --action approve" (I'm using unsecure port to be able to capture
>> unencrypted queries to the API):
>>
>> I start with a login and a review to get a nonce:
>>
>> curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>
https://dogtag.org:8443/ca/rest/account/login
>> curl -s -H "Accept: application/xml" --cert-type P12 --cert
>> ca_admin_cert.p12:<pkc12pwd>
>>
https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint
>> --format - > 08.xml
>>
>> The nonce is well generated:
>>
>> $ grep nonce 08.xml
>> <nonce>-8605088983470492766</nonce>
>>
>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the
>> request returns the error "Nonce for cert-request 8 does not exist"
>>
>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd>
>>
https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header
>> "Content-Type:application/xml" -H "Accept: application/json"
>> {
>> "Attributes": {
>> "Attribute": []
>> },
>> "ClassName":
"com.netscape.certsrv.base.BadRequestException",
>> "Code": 400,
>> "Message": "Nonce for cert-request 8 does not exist"
>> }
>>
>> Something is missing... any ideas?
>>
>> BR
>>
>> Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton(a)redhat.com> a écrit :
>>
>>> or use the pki command like tool with the option ca-cert-request-review
>>> :
>>>
https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request
>>> for example:
>>> pki -U
https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C
>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011
>>> --action approve
>>>
>>> and after successful authentication, the URI is in the form
>>> of /ca/rest/agent/certrequests/xx/approve
>>> where xx is the request id
>>> it is a HTTPS POST operation
>>>
>>> Thanks,
>>> M.
>>>
>>>
>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35(a)gmail.com>
>>> wrote:
>>>
>>>> Hello
>>>>
>>>>
>>>> I'm trying to approve certificate requests by using curl as in
>>>>
https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-...
>>>>
>>>> I manage to submit certificate requests by posting an xml request
>>>> template, I can retrieve the list of requests, the curl command for a
>>>> review works fine, but I'm stuck with approval by using curl (I can
approve
>>>> CSR with pki tool but I still don't know do the same with curl).
>>>>
>>>> BTW, here is my command for reviewing request:
>>>>
>>>> curl -ks -X GET --cert-type P12 --cert
ca_admin_cert.p12:<password>
>>>>
https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header
>>>> "Content-Type:application/xml" | xmllint --format -
>>>>
>>>>
>>>> Can someone tell me what's the correct curl command to approve cr?
or
>>>> is there any example of request approval (with curl) somewhere? or even
>>>> something more detailed than
>>>>
https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-...
>>>> ?
>>>>
>>>> PS: I had a look at the JAVA API (
>>>>
https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certifi...)
>>>> but it didn't help me so much.
>>>>
>>>> Regards,
>>>> Pier
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>