I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I'm trying to renew them using the directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal . I am getting an error when I try to submit the renewal request. The error seems to be that it can't find /pki/rest/info.
Installed packages: pki-base-10.5.9-6.el7.noarch pki-base-java-10.5.9-6.el7.noarch pki-ca-10.5.9-6.el7.noarch pki-kra-10.5.9-6.el7.noarch pki-server-10.5.9-6.el7.noarch pki-tools-10.5.9-6.el7.x86_64 nuxwdog-1.0.3-8.el7.x86_64 java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 javapackages-tools-3.4.1-11.el7.noarch javassist-3.16.1-10.el7.noarch nuxwdog-client-java-1.0.3-8.el7.x86_64 rest-0.8.1-2.el7.x86_64 resteasy-base-atom-provider-3.0.6-4.el7.noarch resteasy-base-client-3.0.6-4.el7.noarch resteasy-base-jackson-provider-3.0.6-4.el7.noarch resteasy-base-jaxb-provider-3.0.6-4.el7.noarch resteasy-base-jaxrs-3.0.6-4.el7.noarch resteasy-base-jaxrs-api-3.0.6-4.el7.noarch Listing the certificates works. We do not use the default instance of pki-tomcat. # pki-server cert-find -i <my-instance> ca ----------------- 5 entries matched ----------------- Cert ID: ca_signing Nickname: caSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,... Issuer DN: CN=CA Signing Certificate,... Not Valid Before: Fri Mar 10 16:38:21 2017 Not Valid After: Tue Mar 10 16:38:21 2037 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert ... CA Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,... Issuer DN: CN=CA Signing Certificate,OU=... Not Valid Before: Fri Mar 10 16:38:23 2017 Not Valid After: Thu Feb 28 16:38:23 2019 [snip] But the renewal request gives a Not Found error: # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKIException: Not Found Adding -v shows an error on the HTTP GET of /pki/rest/info. I don't see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the command to our non-default instance, and if so, how do I do that? # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal PKI options: -v PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Server URI: http://my-server:8370 Client security database: /root/.dogtag/nssdb Message format: null Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal Initializing security database Module: ca Module: cert Module: request-submit Retrieving caManualRenewal profile. Initializing PKIClient HTTP request: GET /pki/rest/info HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: my-server:8370 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 977 Date: Fri, 15 Feb 2019 18:53:25 GMT com.netscape.certsrv.base.PKIException: Not Found at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
