#999 Unable to submit a renewal request using pki cert-request-submit
Closed: Fixed None Opened 9 years ago by mrniranjan.

Unable to submit a renewal request using pki cert-request-submit.

[root@dhcp207-176 setup]# pki cert-request-submit a1.xml
PKIException: Internal Server Error

Contents of a1.xml file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value>242</Value>
            <Descriptor>
                <Syntax>String</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

CA debug logs:

[09/May/2014:09:30:26][CertStatusUpdateTask]: reverse direction getting index 0
[09/May/2014:09:30:26][CertStatusUpdateTask]: transitRevokedExpired: curRec: 0 CertRecord:     14
[09/May/2014:09:30:26][CertStatusUpdateTask]: Record does not qualify,notAfter Wed Oct 29 05:31:24 EDT 2014 date Fri May 09 09:30:26 EDT 2014
[09/May/2014:09:30:26][CertStatusUpdateTask]: transitCertList REVOKED_EXPIRED
[09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter  mEnableRandomSerialNumbers=false  mCounter=-1
[09/May/2014:09:30:26][CertStatusUpdateTask]: In LdapBoundConnFactory::getConn()
[09/May/2014:09:30:26][CertStatusUpdateTask]: masterConn is connected: true
[09/May/2014:09:30:26][CertStatusUpdateTask]: getConn: conn is connected true
[09/May/2014:09:30:26][CertStatusUpdateTask]: getConn: mNumConns now 2
[09/May/2014:09:30:26][CertStatusUpdateTask]: Releasing ldap connection
[09/May/2014:09:30:26][CertStatusUpdateTask]: returnConn: mNumConns now 3
[09/May/2014:09:30:26][CertStatusUpdateTask]: DBSubsystem: getEntryAttribute:  dn=ou=certificateRepository, ou=ca, o=pki-tomcat-CA  attr=description:;
[09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter  mEnableRandomSerialNumbers=false
[09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter  CertificateRepositoryMode =
[09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter  modeChange=false
[09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: UpdateCounter  mEnableRandomSerialNumbers=false  mCounter=-1
[09/May/2014:09:30:26][CertStatusUpdateTask]: updateCertStatus done
[09/May/2014:09:30:26][CertStatusUpdateTask]: Starting cert checkRanges
[09/May/2014:09:30:26][CertStatusUpdateTask]: Serial Management not enabled. Returning ..
[09/May/2014:09:30:26][CertStatusUpdateTask]: cert checkRanges done
[09/May/2014:09:30:26][CertStatusUpdateTask]: Starting request checkRanges
[09/May/2014:09:30:26][CertStatusUpdateTask]: Serial Management not enabled. Returning ..
[09/May/2014:09:30:26][CertStatusUpdateTask]: request checkRanges done
[09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: CertRequestResource.enrollCert()
[09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: mapping: default
[09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: required auth methods: [*]
[09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: anonymous access allowed
[09/May/2014:09:35:04][http-bio-8080-exec-8]: ACLInterceptor: CertRequestResource.enrollCert()
[09/May/2014:09:35:04][http-bio-8080-exec-8]: ACLInterceptor: No ACL mapping.
[09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: CertRequestResource.enrollCert()
[09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: content-type: application/xml
[09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: accept: [application/xml]
[09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: request format: application/xml
[09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: response format: application/xml
[09/May/2014:09:35:04][http-bio-8080-exec-8]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
[09/May/2014:09:35:04][http-bio-8080-exec-8]: Start of CertProcessor Input Parameters
[09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter profileId='caManualRenewal'
[09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter serial_num='242'
[09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter isRenewal='true'
[09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter remoteAddr=''
[09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter remoteHost=''
[09/May/2014:09:35:04][http-bio-8080-exec-8]: End of CertProcessor Input Parameters
[09/May/2014:09:35:04][http-bio-8080-exec-8]: RenewalSubmitter: isRenewal true
[09/May/2014:09:35:04][http-bio-8080-exec-8]: processRenewal: renewProfileId caManualRenewal
[09/May/2014:09:35:04][http-bio-8080-exec-8]: RenewalSubmitter: renewal: found serial_num

Also the profile xml of caManualRenewal profile consists <serialNumber> </serialNumber> and also a value tag to enter serial Number so not sure which one to use .

   <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value>242</Value>
            <Descriptor>
                <Syntax>String</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>

Also does the value of serialNumber should be decimal or Hexadecimal ?


Okay After specifying serialNumber at <serialNumber> </serialNumber> tag request was accepted successufully

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber>242</SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value>242</Value>
            <Descriptor>
                <Syntax>String</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest

It works if the serial Number is not added to <value></value> and serial Number is just mentioned in <serialNumber> tag.

[root@dhcp207-176 setup]# pki cert-request-submit a1.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 305
  Type: renewal
  Request Status: pending
  Operation Result: success

When submitting the renewal request as below , it works

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber>244</SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
</CertEnrollmentRequest>

xml template file comes below command:

pki cert-request-profile-show caManualRenewal --output a1.xml

master:

  • be31509dd9a8eb710dca6e2961043cb4043f45fa

Greetings,

The caManualProfile has changed from the previous version:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal">
    <classId>caEnrollImpl</classId>
    <name>Renewal: Renew certificate to be manually approved by agents</name>
    <description>This certificate profile is for renewing certificates to be approved manually by agents.</description>
    <enabled>true</enabled>
    <visible>true</visible>
    <enabledBy>admin</enabledBy>
    <authenticatorId></authenticatorId>
    <authzAcl></authzAcl>
    <renewal>false</renewal>
    <xmlOutput>false</xmlOutput>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Output id="o1">
        <name>Certificate Output</name>
        <classId>certOutputImpl</classId>
        <attributes name="pretty_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Pretty Print</Description>
            </Descriptor>
        </attributes>
        <attributes name="b64_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Base-64 Encoded</Description>
            </Descriptor>
        </attributes>
    </Output>
    <PolicySets/>
    <link href="https://pki1.example.org:30042/ca/rest/profiles/caManualRenewal" rel="self"/>
</Profile>

How do we specify the serial Number to the profile ?

I tried doing below by adding <value> tag under <Attribute name="serial_num"> as specified below:

    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
            <value>53</value>
        </Attribute>
    </Input>

But i am unable to submit after doing the above modification, it fails with below error:

# pki -d /opt/rhqa_pki/certs_db/ -c Secret123 -n "ROOTCA_agentV" -h pki1.example.org -p 30044 cert-request-submit /tmp/myoutput2.xml 
Error: unexpected element (uri:"", local:"Profile"). Expected elements are <{}Attribute>,<{}CertEnrollmentRequest>,<{}Input>,<{}descriptor>,<{}profileOutput>

Please provide the method to submit renewal request using cli?

The request template has not changed. As end-entity, the request template can be obtained using the following command:

$ pki cert-request-profile-show caManualRenewal --output caManualRenewal.request

It generates the following request template:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

The request template can be used to create a request by adding the serial number to either <SerialNumber> element or <Value> element under serial_num" attribute.

The request can be submitted using the following command:

$ pki ... cert-request-submit caManualRenewal.request

As admin, the request can be approved using the following command:

$ pki ... cert-request-review <request ID> --action approve

Separately, as admin the profile configuration can be obtained using the following command:

$ pki ... ca-profile-show caManualRenewal --output caManualRenewal.profile

The profile configuration contains the <Profile> element:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal">
    <classId>caEnrollImpl</classId>
    <name>Renewal: Renew certificate to be manually approved by agents</name>
    <description>This certificate profile is for renewing certificates to be approved manually by agents.</description>

    ...

</Profile>

The profile configuration cannot be used to submit renewal request. The status of this ticket has been restored to resolved as fixed. No additional change is necessary at this point.

Version: pki-ca-10.2.6-10.el7pki.noarch

caManualRenewal profile doesn't work

pki -d /opt/rhqa_pki/certdb/ -c 'Secret123' -h pki2.example.org -p 8080 -n "FoobarCA Admin" ca-profile-show caManualRenewal  --output /tmp/caManualRenewal.xml

Profile "caManualRenewal"
-------------------------
---------------------------------------------------------
Saved profile caManualRenewal to /tmp/caManualRenewal.xml
---------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal">
    <classId>caEnrollImpl</classId>
    <name>Renewal: Renew certificate to be manually approved by agents</name>
    <description>This certificate profile is for renewing certificates to be approved manually by agents.</description>
    <enabled>true</enabled>
    <visible>true</visible>
    <enabledBy>admin</enabledBy>
    <authenticatorId></authenticatorId>
    <authzAcl></authzAcl>
    <renewal>false</renewal>
    <xmlOutput>false</xmlOutput>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Output id="o1">
        <name>Certificate Output</name>
        <classId>certOutputImpl</classId>
        <attributes name="pretty_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Pretty Print</Description>
            </Descriptor>
        </attributes>
        <attributes name="b64_cert">
            <Descriptor>
                <Syntax>pretty_print</Syntax>
                <Description>Certificate Base-64 Encoded</Description>
            </Descriptor>
        </attributes>
    </Output>
    <PolicySets/>
    <link href="https://pki2.example.org:8443/ca/rest/profiles/caManualRenewal" rel="self"/>
</Profile>

The above profile doesn't have the <Value> or <SerialNumber> element. After adding the element

    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Value>40</Value>
        <Attribute name="serial_num">
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>

And submitting the request, it fails with below error:

[root@pki2 profile]# pki -d /opt/rhqa_pki/certdb/ -c 'Secret123' -h pki2.example.org -p 8080 -n "FoobarCA Admin" cert-request-submit /tmp/caManualRenewal.xml 
UnmarshalException: unexpected element (uri:"", local:"Profile"). Expected elements are <{}AsymKeyGenerationRequest>,<{}Attribute>,<{}CertEnrollmentRequest>,<{}Input>,<{}KeyArchivalRequest>,<{}KeyRecoveryRequest>,<{}PKIException>,<{}ResourceMessage>,<{}SymKeyGenerationRequest>,<{}descriptor>,<{}profileOutput>

I used the wrong cli, instead of using cert-request-profile-show, i used ca-profile-show . using cert-request-profile-show, i am able to submit the request

Apparently the serial number has to be specified in the <SerialNumber> element instead of the input <Attribute name="serial_num"> element, and it has to be specified in decimal number. I have updated the wiki page:

http://pki.fedoraproject.org/wiki/Certificate_Renewal

I think the code can be fixed to be more user-friendly. It should accept the serial number specified in either location, and it should accept hexadecimal number as well.

Fixed in master:

  • af4dd682a089754867a48af53b8794cea914004a
  • bca7ae015691aeaee1258a177632a01a2823abdd

The <!SerialNumber> element was removed from the template, but it's still functional, the element can be re-added to the template to specify the serial number of the certificate to be renewed. This element and some other elements will be deprecated in ticket #1649.

Metadata Update from @mrniranjan:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.2

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1565

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata