Try adding a -U option with the CA URL, like for example: pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection. A request should be created and in pending state, until an agent approves it. ( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance) Thanks, M.
On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <brian.w...@risd.org> wrote: > I installed PKI-CA two years ago on a Redhat 7 server. I used it to create > certificates for an application and have not needed it since. Now the PKI > server certificates are about to expire, I’m trying to renew them using the > directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal > . I am getting an error when I try to submit the renewal request. The > error seems to be that it can’t find /pki/rest/info. > > > > Installed packages: > > > > pki-base-10.5.9-6.el7.noarch > > pki-base-java-10.5.9-6.el7.noarch > > pki-ca-10.5.9-6.el7.noarch > > pki-kra-10.5.9-6.el7.noarch > > pki-server-10.5.9-6.el7.noarch > > pki-tools-10.5.9-6.el7.x86_64 > > nuxwdog-1.0.3-8.el7.x86_64 > > > > > > java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 > > java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64 > > javapackages-tools-3.4.1-11.el7.noarch > > javassist-3.16.1-10.el7.noarch > > nuxwdog-client-java-1.0.3-8.el7.x86_64 > > > > rest-0.8.1-2.el7.x86_64 > > resteasy-base-atom-provider-3.0.6-4.el7.noarch > > resteasy-base-client-3.0.6-4.el7.noarch > > resteasy-base-jackson-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxb-provider-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-3.0.6-4.el7.noarch > > resteasy-base-jaxrs-api-3.0.6-4.el7.noarch > > > > > > > > Listing the certificates works. We do not use the default instance of > pki-tomcat. > > > > # pki-server cert-find -i <my-instance> ca > > ----------------- > > 5 entries matched > > ----------------- > > Cert ID: ca_signing > > Nickname: caSigningCert … CA > > Token: Internal Key Storage Token > > Serial Number: 0x1 > > Subject DN: CN=CA Signing Certificate,… > > Issuer DN: CN=CA Signing Certificate,… > > Not Valid Before: Fri Mar 10 16:38:21 2017 > > Not Valid After: Tue Mar 10 16:38:21 2037 > > > > Cert ID: ca_ocsp_signing > > Nickname: ocspSigningCert … CA > > Token: Internal Key Storage Token > > Serial Number: 0x2 > > Subject DN: CN=CA OCSP Signing Certificate,… > > Issuer DN: CN=CA Signing Certificate,OU=… > > Not Valid Before: Fri Mar 10 16:38:23 2017 > > Not Valid After: Thu Feb 28 16:38:23 2019 > > > > [snip] > > > > > > But the renewal request gives a Not Found error: > > > > # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKIException: Not Found > > > > Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see > that directory structure anywhere on the server. Am I missing something in > the configuration, or is there another package I need to install? Do I have > to point the command to our non-default instance, and if so, how do I do > that? > > > > > > # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial > 0x2 --renewal > > PKI options: -v > > PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal > --serial 0x2 --renewal > > Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -Djava.ext.dirs=/usr/share/pki/lib > -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties > com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit > --profile caManualRenewal --serial 0x2 --renewal > > Server URI: http://my-server:8370 > > Client security database: /root/.dogtag/nssdb > > Message format: null > > Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 > --renewal > > Initializing security database > > Module: ca > > Module: cert > > Module: request-submit > > Retrieving caManualRenewal profile. > > Initializing PKIClient > > HTTP request: GET /pki/rest/info HTTP/1.1 > > Accept-Encoding: gzip, deflate > > Accept: application/xml > > Host: my-server:8370 > > Connection: Keep-Alive > > User-Agent: Apache-HttpClient/4.2.5 (java 1.5) > > HTTP response: HTTP/1.1 404 Not Found > > Server: Apache-Coyote/1.1 > > Content-Type: text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 977 > > Date: Fri, 15 Feb 2019 18:53:25 GMT > > com.netscape.certsrv.base.PKIException: Not Found > > at > com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467) > > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439) > > at > com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107) > > at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46) > > at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194) > > at > com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95) > > at > com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at > com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67) > > at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) > > at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) > > at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) > > ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', > '-Djava.ext.dirs=/usr/share/pki/lib', > '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', > 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370', > 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', > '0x2', '--renewal']' returned non-zero exit status 255 > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
