Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval.
I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like
/root/.dogtag/pki-tomcat/ca/password.conf and
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ?
The command:
pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-request-review 7 --action approve
give the output:
IncorrectPasswordException: Incorrect client security database password.
Hi John, thanks for the feedback.
I used this URL as help to disable self tests.
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process
Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
But I was able to disable self test and PKI is responsive now.
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors
Basically is some :
"ACIError: Insufficient access: Invalid credentials"
[journalctl messages]
------------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials
[syslog messages]------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master
self.ldap_connect()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect
conn.do_bind(self.dm_password, autobind=self.autobind)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind
self.do_sasl_gssapi_bind(timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind
self.__bind_with_wait(self.gssapi_bind, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait
bind_func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.ACIError(info="%s %s" % (info, desc))
ACIError: Insufficient access: Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error
Is there any URL that's relevant for pki 10.3
thanks in advance, Zarko
From: John Magne <jmagne@redhat.com>
Sent: Wednesday, November 14, 2018 6:16 PM
To: Z D
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates_______________________________________________Pki-users mailing listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users