Yes, good catch for the cookie header. Thanks for the feedback to the list. M.
On Mon, Feb 8, 2021 at 1:17 PM Perig Bouenou <pseit...@gmail.com> wrote: > Actually, I forgot to include the session coolie in the requests... Here > is a script that works: > > curl -I -c /tmp/cookie --cert-type P12 --cert ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/account/login > > curl -s -b /tmp/cookie -H "Accept: application/xml" --cert-type P12 --cert > ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/agent/certrequests/$ID | xmllint --format > - > review.xml > > curl -X POST -s -b /tmp/cookie --cert-type P12 --cert > ca_admin_cert.p12:$PWD > https://dogtag.org:8443/ca/rest/agent/certrequests/$ID/approve --header > "Content-Type:application/xml" -H "Accept: application/json" -d @review.xml > | jq > > Hopefully it can be useful for someone else... > > Le lun. 8 févr. 2021 à 18:40, Perig Bouenou <pseit...@gmail.com> a écrit : > >> according to the debug logs in /var/log/pki/pki-tomcat/ca/, it seems >> that login permission for certServer.ca.account are not set and the >> session is not created. >> >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: >> CertUserDBAuthentication: UID caadmin authenticated. >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User >> ID: caadmin >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: User >> DN: uid=caadmin,ou=people,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: Roles: >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Certificate Manager Agents >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Security Domain Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise CA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise KRA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise OCSP Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise TKS Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise RA Administrators >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: PKIRealm: - >> Enterprise TPS Administrators >> >> Here, Granting login permission for certServer.ca.account and Creating >> session are missing... >> >> >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: >> Granting execute permission for certServer.ca.certrequests >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: >> CertRequestService: Validating certificate request 12 >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: DBSSession: >> reading cn=12,ou=ca,ou=requests,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: UGSubsystem: >> retrieving user uid=caadmin,ou=People,dc=ca,dc=pki,dc=nono,dc=org >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: AAclAuthz: >> Granting approve permission for certServer.ca.request.profile >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] INFO: CAProcessor: >> Nonce: 2691022150130176365 >> 2021-02-08 16:22:35 [https-jsse-nio-8443-exec-25] WARNING: CAProcessor: >> Nonce for cert-request 12 does not exist >> >> Le lun. 8 févr. 2021 à 16:57, Perig Bouenou <pseit...@gmail.com> a >> écrit : >> >>> BTW, it is similar issue than raised in >>> https://www.redhat.com/archives/pki-users/2019-May/msg00002.html ... >>> >>> Le lun. 8 févr. 2021 à 16:51, Perig Bouenou <pseit...@gmail.com> a >>> écrit : >>> >>>> Hi, >>>> >>>> Thanks for the hint. Now, I make with curl the same queries than "a pki >>>> -U http://dogtag.org:8080 -C nss_pwd -n caadmin ca-cert-request-review >>>> 8 --action approve" (I'm using unsecure port to be able to capture >>>> unencrypted queries to the API): >>>> >>>> I start with a login and a review to get a nonce: >>>> >>>> curl -s --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> >>>> https://dogtag.org:8443/ca/rest/account/login >>>> curl -s -H "Accept: application/xml" --cert-type P12 --cert >>>> ca_admin_cert.p12:<pkc12pwd> >>>> https://dogtag.org:8443/ca/rest/agent/certrequests/08 | xmllint >>>> --format - > 08.xml >>>> >>>> The nonce is well generated: >>>> >>>> $ grep nonce 08.xml >>>> <nonce>-8605088983470492766</nonce> >>>> >>>> Then, I do a curl/POST to /ca/rest/agent/certrequests/8/approve, but >>>> the request returns the error "Nonce for cert-request 8 does not exist" >>>> >>>> curl -X POST --cert-type P12 --cert ca_admin_cert.p12:<pkc12pwd> >>>> https://dogtag.org:8443/ca/rest/agent/certrequests/8/approve --header >>>> "Content-Type:application/xml" -H "Accept: application/json" >>>> { >>>> "Attributes": { >>>> "Attribute": [] >>>> }, >>>> "ClassName": "com.netscape.certsrv.base.BadRequestException", >>>> "Code": 400, >>>> "Message": "Nonce for cert-request 8 does not exist" >>>> } >>>> >>>> Something is missing... any ideas? >>>> >>>> BR >>>> >>>> Le jeu. 4 févr. 2021 à 23:38, Marc Sauton <msau...@redhat.com> a >>>> écrit : >>>> >>>>> or use the pki command like tool with the option >>>>> ca-cert-request-review : >>>>> https://github.com/dogtagpki/pki/wiki/Handling-Certificate-Request >>>>> for example: >>>>> pki -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1 -C >>>>> ~/.dogtag/subca1/pwdfile.txt -n caadmin ca-cert-request-review 1011 >>>>> --action approve >>>>> >>>>> and after successful authentication, the URI is in the form >>>>> of /ca/rest/agent/certrequests/xx/approve >>>>> where xx is the request id >>>>> it is a HTTPS POST operation >>>>> >>>>> Thanks, >>>>> M. >>>>> >>>>> >>>>> On Thu, Feb 4, 2021 at 1:43 AM Perig Bouenou <pseit...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello >>>>>> >>>>>> >>>>>> I'm trying to approve certificate requests by using curl as in >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>>> >>>>>> I manage to submit certificate requests by posting an xml request >>>>>> template, I can retrieve the list of requests, the curl command for a >>>>>> review works fine, but I'm stuck with approval by using curl (I can >>>>>> approve >>>>>> CSR with pki tool but I still don't know do the same with curl). >>>>>> >>>>>> BTW, here is my command for reviewing request: >>>>>> >>>>>> curl -ks -X GET --cert-type P12 --cert ca_admin_cert.p12:<password> >>>>>> https://dogtag.server:8443/ca/rest/agent/certrequests/08 --header >>>>>> "Content-Type:application/xml" | xmllint --format - >>>>>> >>>>>> >>>>>> Can someone tell me what's the correct curl command to approve cr? or >>>>>> is there any example of request approval (with curl) somewhere? or even >>>>>> something more detailed than >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Approve-Certificate-Request-REST-API >>>>>> ? >>>>>> >>>>>> PS: I had a look at the JAVA API ( >>>>>> https://github.com/dogtagpki/pki/wiki/PKI-CA-Java-API#approving-a-certificate-request) >>>>>> but it didn't help me so much. >>>>>> >>>>>> Regards, >>>>>> Pier >>>>>> _______________________________________________ >>>>>> Pki-users mailing list >>>>>> Pki-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>>>
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
