yes, the CA cert could be trusted in ~/.dogtag/nssdb/
my test was using a different path.
it is just a warning, so the renewal should have been processed, check in
the transactions log file.
Thanks,
M.
On Tue, Feb 19, 2019 at 2:39 PM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
Thanks. That got me a little farther:
# pki -U
https://mydomain.example.xyz:8373 ca-cert-request-submit
--profile caManualRenewal --serial 0x2 --renewal
WARNING: UNTRUSTED ISSUER encountered on 'CN=mydomain.example.xyz
,OU=my-instance,O=example.xyz' indicates a non-trusted CA cert 'CN=CA
Signing Certificate,OU=my-instance,O=example.xyz'
Import CA certificate (Y/n)?
“CA Signing Certificate” is the base signing certificate (serial number
0x1). Should the WARNING and prompt about importing it (to where?) be
expected? I’m running the commands locally on the CA server, FWIW.
Your command example includes “-d ~/.dogtag/subca1”. The man page says –d
is for the client security database location. I just have the default nssdb
and my instance directory under ~/.dogtag, so I’m guessing the default
nssdb is what I need?
# ls -l ~/.dogtag
total 4
drwxr-xr-x. 2 root root 51 Mar 22 2017 nssdb
drwxrwxr-x. 3 root root 4096 Oct 6 2017 my-instance
- Brian
*From:* Marc Sauton [mailto:msauton@redhat.com]
*Sent:* Friday, February 15, 2019 7:01 PM
*To:* Wolf, Brian <Brian.Wolf(a)risd.org>
*Cc:* pki-users(a)redhat.com
*Subject:* Re: [Pki-users] Problem Renewing Server Certificates
Try adding a -U option with the CA URL, like for example:
pki -v -U
https://ca1.example.test:8443/ca -d ~/.dogtag/subca1
ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal
I added a -d option to point to a NSS db that already trust the issuer of
the SSL certificate presented in the HTTPS connection.
A request should be created and in pending state, until an agent approves
it.
( use a profile with agent authentication for automatic issuance, user
with SSL client auth should have automatic renewal/cert issuance)
Thanks,
M.
On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <Brian.Wolf(a)risd.org> wrote:
I installed PKI-CA two years ago on a Redhat 7 server. I used it to create
certificates for an application and have not needed it since. Now the PKI
server certificates are about to expire, I’m trying to renew them using the
directions at
https://www.dogtagpki.org/wiki/System_Certificate_Renewal
. I am getting an error when I try to submit the renewal request. The
error seems to be that it can’t find /pki/rest/info.
Installed packages:
pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
nuxwdog-1.0.3-8.el7.x86_64
java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
javapackages-tools-3.4.1-11.el7.noarch
javassist-3.16.1-10.el7.noarch
nuxwdog-client-java-1.0.3-8.el7.x86_64
rest-0.8.1-2.el7.x86_64
resteasy-base-atom-provider-3.0.6-4.el7.noarch
resteasy-base-client-3.0.6-4.el7.noarch
resteasy-base-jackson-provider-3.0.6-4.el7.noarch
resteasy-base-jaxb-provider-3.0.6-4.el7.noarch
resteasy-base-jaxrs-3.0.6-4.el7.noarch
resteasy-base-jaxrs-api-3.0.6-4.el7.noarch
Listing the certificates works. We do not use the default instance of
pki-tomcat.
# pki-server cert-find -i <my-instance> ca
-----------------
5 entries matched
-----------------
Cert ID: ca_signing
Nickname: caSigningCert … CA
Token: Internal Key Storage Token
Serial Number: 0x1
Subject DN: CN=CA Signing Certificate,…
Issuer DN: CN=CA Signing Certificate,…
Not Valid Before: Fri Mar 10 16:38:21 2017
Not Valid After: Tue Mar 10 16:38:21 2037
Cert ID: ca_ocsp_signing
Nickname: ocspSigningCert … CA
Token: Internal Key Storage Token
Serial Number: 0x2
Subject DN: CN=CA OCSP Signing Certificate,…
Issuer DN: CN=CA Signing Certificate,OU=…
Not Valid Before: Fri Mar 10 16:38:23 2017
Not Valid After: Thu Feb 28 16:38:23 2019
[snip]
But the renewal request gives a Not Found error:
# pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial
0x2 --renewal
PKIException: Not Found
Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see
that directory structure anywhere on the server. Am I missing something in
the configuration, or is there another package I need to install? Do I have
to point the command to our non-default instance, and if so, how do I do
that?
# pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial
0x2 --renewal
PKI options: -v
PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal
--serial 0x2 --renewal
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-Djava.ext.dirs=/usr/share/pki/lib
-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit
--profile caManualRenewal --serial 0x2 --renewal
Server URI:
http://my-server:8370
Client security database: /root/.dogtag/nssdb
Message format: null
Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2
--renewal
Initializing security database
Module: ca
Module: cert
Module: request-submit
Retrieving caManualRenewal profile.
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: my-server:8370
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 977
Date: Fri, 15 Feb 2019 18:53:25 GMT
com.netscape.certsrv.base.PKIException: Not Found
at
com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
at
com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
at
com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)
at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)
at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
at
com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)
at
com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at
com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java',
'-Djava.ext.dirs=/usr/share/pki/lib',
'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties',
'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p',
'8370',
'ca-cert-request-submit', '--profile', 'caManualRenewal',
'--serial',
'0x2', '--renewal']' returned non-zero exit status 255
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users