Z D,

No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following:

`pki -d <client nss db location> -c <client nss db pass> -n <admin cert nickname> ca-cert-request-review 7 --action approve`

-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb
-c = The password for the nssdb that you point in -d
-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb.

NOTE:
1. You need to have a valid client admin cert to approve the request
2. This client admin cert must be available in ldap server

Reference:
https://www.dogtagpki.org/wiki/PKI_Client_CLI

Regards,
Dinesh

On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:

Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval. 


I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like

/root/.dogtag/pki-tomcat/ca/password.conf and

/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf


NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ?


The command:

pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-request-review 7 --action approve


give the output:


IncorrectPasswordException: Incorrect client security database password.




From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com>
Sent: Sunday, November 18, 2018 10:40:01 AM
To: Z D; John Magne; pki-users@redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
 
Hi Zarko,

May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal

It has instructions for 10.3 or earlier. Let us know if that helped!

Regards,
Dinesh


On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:

Hi John, thanks for the feedback.


I used this URL as help to disable self tests.

https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process


Many of  "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
But I was able to disable self test and PKI is responsive now.
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors 

Basically is some :
"ACIError: Insufficient access:  Invalid credentials"

[journalctl messages]
------------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012    if ca.is_renewal_master():#012  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012    self.ldap_connect()#012  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012    conn.do_bind(self.dm_password, autobind=self.autobind)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012    self.do_sasl_gssapi_bind(timeout=timeout)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012    self.__bind_with_wait(self.gssapi_bind, timeout)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012    bind_func(*args, **kwargs)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012    '', auth_tokens, server_controls, client_controls)#012  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012    self.gen.throw(type, value, traceback)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012    raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access:  Invalid credentials


[syslog messages]
------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master
self.ldap_connect()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect
conn.do_bind(self.dm_password, autobind=self.autobind)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind
self.do_sasl_gssapi_bind(timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind
self.__bind_with_wait(self.gssapi_bind, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait
bind_func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.ACIError(info="%s %s" % (info, desc))
ACIError: Insufficient access:  Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error

Is there any URL that's relevant for pki 10.3

thanks in advance, Zarko



From: John Magne <jmagne@redhat.com>
Sent: Wednesday, November 14, 2018 6:16 PM
To: Z D
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
 
Hi:

YOu can try to temporarily disable the self tests for you ca, until
the new certs are resolved.

Look in the CS.cfg file for the ca in question and there is a big section
controlling the self tests. Just experiment with commenting out the tests and see if that
gets you past the hurdle..




_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users