08.xml

or use the pki command like tool with the option ca-cert-request-review : https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request for example: pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 --action approve and after successful authentication, the URI is in the form of /ca/rest/agent/certrequests/xx/approve where xx is the request id it is a HTTPS POST operation Thanks, M. On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35(a)gmail.com&gt; wrote: > Hello > > > I'm trying to approve certificate requests by using curl as in > https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... > > I manage to submit certificate requests by posting an xml request > template, I can retrieve the list of requests, the curl command for a > review works fine, but I'm stuck with approval by using curl (I can approve > CSR with pki tool but I still don't know do the same with curl). > > BTW, here is my command for reviewing request: > > curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password> > https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header > "Content-Type:application/xml" | xmllint --format - > > > Can someone tell me what's the correct curl command to approve cr? or is > there any example of request approval (with curl) somewhere? or even > something more detailed than > https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... > ? > > PS: I had a look at the JAVA API ( > https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certifi...) > but it didn't help me so much. > > Regards, > Pier > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users

BTW, it is similar issue than raised in https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35(a)gmail.com&gt; a écrit : > Hi, > > Thanks for the hint. Now, I make with curl the same queries than "a pki > -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review 8 > --action approve" (I'm using unsecure port to be able to capture > unencrypted queries to the API): > > I start with a login and a review to get a nonce: > > curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> > https://dogtag.org:8443/ca/rest/account/login > curl -s -H "Accept: application/xml" --cert-type P12 --cert > ca_admin_cert.p12:<pkc12pwd> > https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint --format > - > 08.xml > > The nonce is well generated: > > $ grep nonce 08.xml > <nonce>-8605088983470492766</nonce> > > Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but the > request returns the error "Nonce for cert-request 8 does not exist" > > curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> > https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header > "Content-Type:application/xml" -H "Accept: application/json" > { > "Attributes": { > "Attribute": [] > }, > "ClassName": "com.netscape.certsrv.base.BadRequestException", > "Code": 400, > "Message": "Nonce for cert-request 8 does not exist" > } > > Something is missing... any ideas? > > BR > > Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton(a)redhat.com&gt; a écrit : > >> or use the pki command like tool with the option ca-cert-request-review : >> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >> for example: >> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >> --action approve >> >> and after successful authentication, the URI is in the form >> of /ca/rest/agent/certrequests/xx/approve >> where xx is the request id >> it is a HTTPS POST operation >> >> Thanks, >> M. >> >> >> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35(a)gmail.com&gt; wrote: >> >>> Hello >>> >>> >>> I'm trying to approve certificate requests by using curl as in >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... >>> >>> I manage to submit certificate requests by posting an xml request >>> template, I can retrieve the list of requests, the curl command for a >>> review works fine, but I'm stuck with approval by using curl (I can approve >>> CSR with pki tool but I still don't know do the same with curl). >>> >>> BTW, here is my command for reviewing request: >>> >>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password> >>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>> "Content-Type:application/xml" | xmllint --format - >>> >>> >>> Can someone tell me what's the correct curl command to approve cr? or >>> is there any example of request approval (with curl) somewhere? or even >>> something more detailed than >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... >>> ? >>> >>> PS: I had a look at the JAVA API ( >>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certifi...) >>> but it didn't help me so much. >>> >>> Regards, >>> Pier >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> >>

Actually, I forgot to include the session coolie in the requests... Here is a script that works: curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/account/login curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format - > review.xml curl -X POST -s -b /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml | jq Hopefully it can be useful for someone else... Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseite35(a)gmail.com&gt; a écrit : > according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems > that login permission for certServer.ca.account are not set and the > session is not created. > > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: > CertUserDBAuthentication: UID caadmin authenticated. > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User > ID: caadmin > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User > DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles: > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Certificate Manager Agents > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Security Domain Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise CA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise KRA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise OCSP Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise TKS Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise RA Administrators > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - > Enterprise TPS Administrators > > Here, Granting login permission for certServer.ca.account and Creating > session are missing... > > > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: > Granting execute permission for certServer.ca.certrequests > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: > CertRequestService: Validating certificate request 12 > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: > reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: > retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: > Granting approve permission for certServer.ca.request.profile > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: > Nonce: 2691022150130176365 > 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: > Nonce for cert-request 12 does not exist > > Le lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseite35(a)gmail.com&gt; a > écrit : > >> BTW, it is similar issue than raised in >> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... >> >> Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseite35(a)gmail.com&gt; a >> écrit : >> >>> Hi, >>> >>> Thanks for the hint. Now, I make with curl the same queries than "a pki >>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review >>> 8 --action approve" (I'm using unsecure port to be able to capture >>> unencrypted queries to the API): >>> >>> I start with a login and a review to get a nonce: >>> >>> curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> >>> https://dogtag.org:8443/ca/rest/account/login >>> curl -s -H "Accept: application/xml" --cert-type P12 --cert >>> ca_admin_cert.p12:<pkc12pwd> >>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint >>> --format - > 08.xml >>> >>> The nonce is well generated: >>> >>> $ grep nonce 08.xml >>> <nonce>-8605088983470492766</nonce> >>> >>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but >>> the request returns the error "Nonce for cert-request 8 does not exist" >>> >>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> >>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header >>> "Content-Type:application/xml" -H "Accept: application/json" >>> { >>> "Attributes": { >>> "Attribute": [] >>> }, >>> "ClassName": "com.netscape.certsrv.base.BadRequestException", >>> "Code": 400, >>> "Message": "Nonce for cert-request 8 does not exist" >>> } >>> >>> Something is missing... any ideas? >>> >>> BR >>> >>> Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msauton(a)redhat.com&gt; a >>> écrit : >>> >>>> or use the pki command like tool with the option >>>> ca-cert-request-review : >>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >>>> for example: >>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >>>> --action approve >>>> >>>> and after successful authentication, the URI is in the form >>>> of /ca/rest/agent/certrequests/xx/approve >>>> where xx is the request id >>>> it is a HTTPS POST operation >>>> >>>> Thanks, >>>> M. >>>> >>>> >>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseite35(a)gmail.com&gt; >>>> wrote: >>>> >>>>> Hello >>>>> >>>>> >>>>> I'm trying to approve certificate requests by using curl as in >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... >>>>> >>>>> I manage to submit certificate requests by posting an xml request >>>>> template, I can retrieve the list of requests, the curl command for a >>>>> review works fine, but I'm stuck with approval by using curl (I can approve >>>>> CSR with pki tool but I still don't know do the same with curl). >>>>> >>>>> BTW, here is my command for reviewing request: >>>>> >>>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password> >>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>>>> "Content-Type:application/xml" | xmllint --format - >>>>> >>>>> >>>>> Can someone tell me what's the correct curl command to approve cr? or >>>>> is there any example of request approval (with curl) somewhere? or even >>>>> something more detailed than >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-... >>>>> ? >>>>> >>>>> PS: I had a look at the JAVA API ( >>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certifi...) >>>>> but it didn't help me so much. >>>>> >>>>> Regards, >>>>> Pier >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users(a)redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>>>