Actually, I forgot to include the session coolie in the requests... Here is a script that works:curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/account/login
curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format - > review.xmlcurl -X POST -s -b /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml | jqHopefully it can be useful for someone else...Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseite35@gmail.com> a écrit :according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems that login permission for certServer.ca.account are not set and the session is not created.2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CertUserDBAuthentication: UID caadmin authenticated.
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User ID: caadmin
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles:
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Certificate Manager Agents
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Security Domain Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise CA Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise KRA Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise OCSP Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise TKS Administrators
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise RA Administrators2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - Enterprise TPS AdministratorsHere, Granting login permission for certServer.ca.account and Creating session are missing...2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: Granting execute permission for certServer.ca.certrequests
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CertRequestService: Validating certificate request 12
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: Granting approve permission for certServer.ca.request.profile
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: Nonce: 2691022150130176365
2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: Nonce for cert-request 12 does not existLe lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseite35@gmail.com> a écrit :BTW, it is similar issue than raised in https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ...Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35@gmail.com> a écrit :Hi,
Thanks for the hint. Now, I make with curl the same queries than "a pki -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review 8 --action approve" (I'm using unsecure port to be able to capture unencrypted queries to the API):
I start with a login and a review to get a nonce:
curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> https://dogtag.org:8443/ca/rest/account/login
curl -s -H "Accept: application/xml" --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint --format - > 08.xml
The nonce is well generated:
$ grep nonce 08.xml
<nonce>-8605088983470492766</nonce>
Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the request returns the error "Nonce for cert-request 8 does not exist"
curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header "Content-Type:application/xml" -H "Accept: application/json"
{
"Attributes": {
"Attribute": []
},
"ClassName": "com.netscape.certsrv.base.BadRequestException",
"Code": 400,
"Message": "Nonce for cert-request 8 does not exist"
}
Something is missing... any ideas?
BRLe jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton@redhat.com> a écrit :or use the pki command like tool with the option ca-cert-request-review :for example:pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 --action approveand after successful authentication, the URI is in the form of /ca/rest/agent/certrequests/xx/approvewhere xx is the request idit is a HTTPS POST operationThanks,M.On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35@gmail.com> wrote:Hello_______________________________________________
I'm trying to approve certificate requests by using curl as in https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-APII manage to submit certificate requests by posting an xml request template, I can retrieve the list of requests, the curl command for a review works fine, but I'm stuck with approval by using curl (I can approve CSR with pki tool but I still don't know do the same with curl).BTW, here is my command for reviewing request:
curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header "Content-Type:application/xml" | xmllint --format -
Can someone tell me what's the correct curl command to approve cr? or is there any example of request approval (with curl) somewhere? or even something more detailed than https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API?
PS: I had a look at the JAVA API (https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) but it didn't help me so much.
Regards,
Pier
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users