DogTag ca denied (inside IPA)
by Kat
Hi all - new to list. I can't find the answer on the IPA mailing list
and I really thing this is directly related to DogTag anyway.
Trying to debug a key being denied. Here is a little snippet of log.
Where can I find WHY it is getting denied - or is there some additional
debug I can turn on to find it? See the last one? This is driving me
crazy - if anyone can point me to debug settings or anything to help me
diagnose?
2019-02-09 16:12:56 - SimpleCredsAuth-[auth:simple] - PASS: '30015'
authenticated as '48, 48'
2019-02-09 16:12:56 - SimpleHeaderAuth-[auth:header] - PASS: '30015'
authenticated as '(null)'
2019-02-09 16:12:56 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015'
authorized for '/keys'
2019-02-09 16:12:57 - Secrets-[/keys] - ALLOWED:
'(null)' requested key 'ca/subsystemCert cert-pki-ca'
2019-02-09 16:14:53 - SimpleCredsAuth-[auth:simple] - PASS: '30015'
authenticated as '48, 48'
2019-02-09 16:14:53 - SimpleHeaderAuth-[auth:header] - PASS: '30015'
authenticated as '(null)'
2019-02-09 16:14:53 - IPAKEMKeys-[authz:kemkeys] - PASS: '30015'
authorized for '/keys'
2019-02-09 16:14:53 - Secrets-[/keys] - ALLOWED:
'(null)' requested key 'ra/ipaCert'
2019-02-09 16:17:34 - SimpleCredsAuth-[auth:simple] - PASS: '24826'
authenticated as '48, 48'
2019-02-09 16:17:34 - SimpleHeaderAuth-[auth:header] - PASS: '24826'
authenticated as '(null)'
2019-02-09 16:17:34 - IPAKEMKeys-[authz:kemkeys] - PASS: '24826'
authorized for '/keys'
2019-02-09 16:17:34 - Secrets-[/keys] - ALLOWED:
'(null)' requested key 'dm/DMHash'
*2019-02-25 09:21:47 - SimpleCredsAuth-[auth:simple] - PASS: '5570'
authenticated as '48, 48'**
**2019-02-25 09:21:47 - SimpleHeaderAuth-[auth:header] - PASS: '5570'
authenticated as '(null)'**
**2019-02-25 09:21:47 - IPAKEMKeys-[authz:kemkeys] - PASS: '5570'
authorized for '/keys'**
**2019-02-25 09:21:47 - Secrets-[/keys] - DENIED:
'(null)' requested key 'ca/caSigningCert cert-pki-ca'*
-K
5 years, 8 months
Problem Renewing Server Certificates
by Wolf, Brian
I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I'm trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal . I am getting an error when I try to submit the renewal request. The error seems to be that it can't find /pki/rest/info.
Installed packages:
pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
nuxwdog-1.0.3-8.el7.x86_64
java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
javapackages-tools-3.4.1-11.el7.noarch
javassist-3.16.1-10.el7.noarch
nuxwdog-client-java-1.0.3-8.el7.x86_64
rest-0.8.1-2.el7.x86_64
resteasy-base-atom-provider-3.0.6-4.el7.noarch
resteasy-base-client-3.0.6-4.el7.noarch
resteasy-base-jackson-provider-3.0.6-4.el7.noarch
resteasy-base-jaxb-provider-3.0.6-4.el7.noarch
resteasy-base-jaxrs-3.0.6-4.el7.noarch
resteasy-base-jaxrs-api-3.0.6-4.el7.noarch
Listing the certificates works. We do not use the default instance of pki-tomcat.
# pki-server cert-find -i <my-instance> ca
-----------------
5 entries matched
-----------------
Cert ID: ca_signing
Nickname: caSigningCert ... CA
Token: Internal Key Storage Token
Serial Number: 0x1
Subject DN: CN=CA Signing Certificate,...
Issuer DN: CN=CA Signing Certificate,...
Not Valid Before: Fri Mar 10 16:38:21 2017
Not Valid After: Tue Mar 10 16:38:21 2037
Cert ID: ca_ocsp_signing
Nickname: ocspSigningCert ... CA
Token: Internal Key Storage Token
Serial Number: 0x2
Subject DN: CN=CA OCSP Signing Certificate,...
Issuer DN: CN=CA Signing Certificate,OU=...
Not Valid Before: Fri Mar 10 16:38:23 2017
Not Valid After: Thu Feb 28 16:38:23 2019
[snip]
But the renewal request gives a Not Found error:
# pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
PKIException: Not Found
Adding -v shows an error on the HTTP GET of /pki/rest/info. I don't see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that?
# pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
PKI options: -v
PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Server URI: http://my-server:8370
Client security database: /root/.dogtag/nssdb
Message format: null
Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal
Initializing security database
Module: ca
Module: cert
Module: request-submit
Retrieving caManualRenewal profile.
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: my-server:8370
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 977
Date: Fri, 15 Feb 2019 18:53:25 GMT
com.netscape.certsrv.base.PKIException: Not Found
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)
at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)
at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)
at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255
5 years, 8 months
exporting sub CA to pem format
by joris dedieu
Hello Pki users,
I found how to issue a sub certificate with pki ca-authority-create
and export certificate with ca-authority-show, but I don't understand
how to export Sub CA key. I need it to sign some certificates with
puppet or openssl. Is there a way to do so ?
Best Regards
Joris
5 years, 9 months