Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards,Dinesh
On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: > > Hi John, thanks for the feedback. > > > > > > I used this URL as help to disable self tests. > > > > https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process > > > > Many of "pki-server" command options are not present for me, since > pki-server version is 10.3, I believe the doc applies for 10.5. > > > > > But I was able to disable self test and PKI is responsive now. > > > > After system time is back, I use 'getcert resubmit' to renew a cert > and seeing this certmonger errors > > > > > > Basically is some : > > > > "ACIError: Insufficient access: Invalid credentials" > > > > > > [journalctl messages] > > > > ------------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback > (most recent call last):#012 File "/usr/libexec/certmonger/dogtag- > ipa-ca-renew-agent-submit", line 511, in <module>#012 > sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca- > renew-agent-submit", > line 497, in main#012 if ca.is_renewal_master():#012 File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1188, in is_renewal_master#012 self.ldap_connect()#012 File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 177, in ldap_connect#012 conn.do_bind(self.dm_password, > autobind=self.autobind)#012 File "/usr/lib/python2.7/site- > packages/ipapython/ipaldap.py", line 1690, in do_bind#012 > self.do_sasl_gssapi_bind(timeout=timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1668, in do_sasl_gssapi_bind#012 > self.__bind_with_wait(self.gssapi_bind, timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, > in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, > client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line > 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 973, in error_handler#012 raise errors.ACIError(info="%s %s" > % (info, desc))#012ACIError: Insufficient access: Invalid > credentials > > > > > > > > > > > [syslog messages] > > ------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: > Traceback (most recent call last): > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > 511, in <module> > > sys.exit(main()) > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > 497, in main if ca.is_renewal_master(): > > File "/usr/lib/python2.7/site- > packages/ipaserver/install/cainstance.py", line 1188, in > is_renewal_master > > self.ldap_connect() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 177, in ldap_connect > > conn.do_bind(self.dm_password, autobind=self.autobind) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1690, in do_bind > > self.do_sasl_gssapi_bind(timeout=timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1668, in do_sasl_gssapi_bind > > self.__bind_with_wait(self.gssapi_bind, timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1650, in __bind_with_wait > > bind_func(*args, **kwargs) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1108, in gssapi_bind > > '', auth_tokens, server_controls, client_controls) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 973, in error_handler > > raise errors.ACIError(info="%s %s" % (info, desc)) > > ACIError: Insufficient access: Invalid credentials > > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 > [8834] Internal error > > > > > Is there any URL that's relevant for pki 10.3 > > > > > > thanks in advance, Zarko > > > > > > > > > > From: John Magne <jma...@redhat.com> > > Sent: Wednesday, November 14, 2018 6:16 PM > > To: Z D > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > Hi: > > > > YOu can try to temporarily disable the self tests for you ca, until > > the new certs are resolved. > > > > Look in the CS.cfg file for the ca in question and there is a big > section > > controlling the self tests. Just experiment with commenting out the > tests and see if that > > > gets you past the hurdle.. > > > > > > > > > > > > > > > > > > _______________________________________________Pki-users mailing > listpki-us...@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
