Try adding a -U option with the CA URL, like for example:
pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal
I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection.
A request should be created and in pending state, until an agent approves it.
( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance)
Thanks,
M.

On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <Brian.Wolf@risd.org> wrote:

I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I’m trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal .  I am getting an error when I try to submit the renewal request. The error seems to be that it can’t find /pki/rest/info.

 

Installed packages:

 

pki-base-10.5.9-6.el7.noarch

pki-base-java-10.5.9-6.el7.noarch

pki-ca-10.5.9-6.el7.noarch

pki-kra-10.5.9-6.el7.noarch

pki-server-10.5.9-6.el7.noarch

pki-tools-10.5.9-6.el7.x86_64

nuxwdog-1.0.3-8.el7.x86_64

 

 

java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64

java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64

javapackages-tools-3.4.1-11.el7.noarch

javassist-3.16.1-10.el7.noarch

nuxwdog-client-java-1.0.3-8.el7.x86_64

 

rest-0.8.1-2.el7.x86_64

resteasy-base-atom-provider-3.0.6-4.el7.noarch

resteasy-base-client-3.0.6-4.el7.noarch

resteasy-base-jackson-provider-3.0.6-4.el7.noarch

resteasy-base-jaxb-provider-3.0.6-4.el7.noarch

resteasy-base-jaxrs-3.0.6-4.el7.noarch

resteasy-base-jaxrs-api-3.0.6-4.el7.noarch

 

 

 

Listing the certificates works. We do not use the default instance of pki-tomcat.

 

# pki-server cert-find -i <my-instance> ca

-----------------

5 entries matched

-----------------

  Cert ID: ca_signing

  Nickname: caSigningCert … CA

  Token: Internal Key Storage Token

  Serial Number: 0x1

  Subject DN: CN=CA Signing Certificate,…

  Issuer DN: CN=CA Signing Certificate,…

  Not Valid Before: Fri Mar 10 16:38:21 2017

  Not Valid After: Tue Mar 10 16:38:21 2037

 

  Cert ID: ca_ocsp_signing

  Nickname: ocspSigningCert … CA

  Token: Internal Key Storage Token

  Serial Number: 0x2

  Subject DN: CN=CA OCSP Signing Certificate,…

  Issuer DN: CN=CA Signing Certificate,OU=…

  Not Valid Before: Fri Mar 10 16:38:23 2017

  Not Valid After: Thu Feb 28 16:38:23 2019

 

[snip]

 

 

But the renewal request gives a Not Found error:

 

# pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal

PKIException: Not Found

 

Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that?

 

 

# pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal

PKI options: -v

PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal

Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal

Server URI: http://my-server:8370

Client security database: /root/.dogtag/nssdb

Message format: null

Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal

Initializing security database

Module: ca

Module: cert

Module: request-submit

Retrieving caManualRenewal profile.

Initializing PKIClient

HTTP request: GET /pki/rest/info HTTP/1.1

  Accept-Encoding: gzip, deflate

  Accept: application/xml

  Host: my-server:8370

  Connection: Keep-Alive

  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)

HTTP response: HTTP/1.1 404 Not Found

  Server: Apache-Coyote/1.1

  Content-Type: text/html;charset=utf-8

  Content-Language: en

  Content-Length: 977

  Date: Fri, 15 Feb 2019 18:53:25 GMT

com.netscape.certsrv.base.PKIException: Not Found

        at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)

        at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)

        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)

        at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)

        at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)

        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)

        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)

        at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)

        at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)

        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)

        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)

        at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)

        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)

        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)

        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)

ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users