Unable to submit a renewal request using pki cert-request-submit.
[root@dhcp207-176 setup]# pki cert-request-submit a1.xml PKIException: Internal Server Error
Contents of a1.xml file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <ProfileID>caManualRenewal</ProfileID> <Renewal>true</Renewal> <SerialNumber></SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> <Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Value>242</Value> <Descriptor> <Syntax>String</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input> </CertEnrollmentRequest>
CA debug logs:
[09/May/2014:09:30:26][CertStatusUpdateTask]: reverse direction getting index 0 [09/May/2014:09:30:26][CertStatusUpdateTask]: transitRevokedExpired: curRec: 0 CertRecord: 14 [09/May/2014:09:30:26][CertStatusUpdateTask]: Record does not qualify,notAfter Wed Oct 29 05:31:24 EDT 2014 date Fri May 09 09:30:26 EDT 2014 [09/May/2014:09:30:26][CertStatusUpdateTask]: transitCertList REVOKED_EXPIRED [09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false mCounter=-1 [09/May/2014:09:30:26][CertStatusUpdateTask]: In LdapBoundConnFactory::getConn() [09/May/2014:09:30:26][CertStatusUpdateTask]: masterConn is connected: true [09/May/2014:09:30:26][CertStatusUpdateTask]: getConn: conn is connected true [09/May/2014:09:30:26][CertStatusUpdateTask]: getConn: mNumConns now 2 [09/May/2014:09:30:26][CertStatusUpdateTask]: Releasing ldap connection [09/May/2014:09:30:26][CertStatusUpdateTask]: returnConn: mNumConns now 3 [09/May/2014:09:30:26][CertStatusUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=pki-tomcat-CA attr=description:; [09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false [09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter CertificateRepositoryMode = [09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: updateCounter modeChange=false [09/May/2014:09:30:26][CertStatusUpdateTask]: CertificateRepository: UpdateCounter mEnableRandomSerialNumbers=false mCounter=-1 [09/May/2014:09:30:26][CertStatusUpdateTask]: updateCertStatus done [09/May/2014:09:30:26][CertStatusUpdateTask]: Starting cert checkRanges [09/May/2014:09:30:26][CertStatusUpdateTask]: Serial Management not enabled. Returning .. [09/May/2014:09:30:26][CertStatusUpdateTask]: cert checkRanges done [09/May/2014:09:30:26][CertStatusUpdateTask]: Starting request checkRanges [09/May/2014:09:30:26][CertStatusUpdateTask]: Serial Management not enabled. Returning .. [09/May/2014:09:30:26][CertStatusUpdateTask]: request checkRanges done [09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: CertRequestResource.enrollCert() [09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: mapping: default [09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: required auth methods: [*] [09/May/2014:09:35:04][http-bio-8080-exec-8]: AuthMethodInterceptor: anonymous access allowed [09/May/2014:09:35:04][http-bio-8080-exec-8]: ACLInterceptor: CertRequestResource.enrollCert() [09/May/2014:09:35:04][http-bio-8080-exec-8]: ACLInterceptor: No ACL mapping. [09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: CertRequestResource.enrollCert() [09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: content-type: application/xml [09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: accept: [application/xml] [09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: request format: application/xml [09/May/2014:09:35:04][http-bio-8080-exec-8]: MessageFormatInterceptor: response format: application/xml [09/May/2014:09:35:04][http-bio-8080-exec-8]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [09/May/2014:09:35:04][http-bio-8080-exec-8]: Start of CertProcessor Input Parameters [09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter profileId='caManualRenewal' [09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter serial_num='242' [09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter isRenewal='true' [09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter remoteAddr='' [09/May/2014:09:35:04][http-bio-8080-exec-8]: CertProcessor Input Parameter remoteHost='' [09/May/2014:09:35:04][http-bio-8080-exec-8]: End of CertProcessor Input Parameters [09/May/2014:09:35:04][http-bio-8080-exec-8]: RenewalSubmitter: isRenewal true [09/May/2014:09:35:04][http-bio-8080-exec-8]: processRenewal: renewProfileId caManualRenewal [09/May/2014:09:35:04][http-bio-8080-exec-8]: RenewalSubmitter: renewal: found serial_num
Also the profile xml of caManualRenewal profile consists <serialNumber> </serialNumber> and also a value tag to enter serial Number so not sure which one to use .
<Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Value>242</Value> <Descriptor> <Syntax>String</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor>
Also does the value of serialNumber should be decimal or Hexadecimal ?
Okay After specifying serialNumber at <serialNumber> </serialNumber> tag request was accepted successufully
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <ProfileID>caManualRenewal</ProfileID> <Renewal>true</Renewal> <SerialNumber>242</SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> <Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Value>242</Value> <Descriptor> <Syntax>String</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input> </CertEnrollmentRequest
It works if the serial Number is not added to <value></value> and serial Number is just mentioned in <serialNumber> tag.
[root@dhcp207-176 setup]# pki cert-request-submit a1.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 305 Type: renewal Request Status: pending Operation Result: success
When submitting the renewal request as below , it works
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <ProfileID>caManualRenewal</ProfileID> <Renewal>true</Renewal> <SerialNumber>244</SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> </CertEnrollmentRequest>
xml template file comes below command:
pki cert-request-profile-show caManualRenewal --output a1.xml
master:
Greetings,
The caManualProfile has changed from the previous version:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal"> <classId>caEnrollImpl</classId> <name>Renewal: Renew certificate to be manually approved by agents</name> <description>This certificate profile is for renewing certificates to be approved manually by agents.</description> <enabled>true</enabled> <visible>true</visible> <enabledBy>admin</enabledBy> <authenticatorId></authenticatorId> <authzAcl></authzAcl> <renewal>false</renewal> <xmlOutput>false</xmlOutput> <Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Descriptor> <Syntax>string</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input> <Output id="o1"> <name>Certificate Output</name> <classId>certOutputImpl</classId> <attributes name="pretty_cert"> <Descriptor> <Syntax>pretty_print</Syntax> <Description>Certificate Pretty Print</Description> </Descriptor> </attributes> <attributes name="b64_cert"> <Descriptor> <Syntax>pretty_print</Syntax> <Description>Certificate Base-64 Encoded</Description> </Descriptor> </attributes> </Output> <PolicySets/> <link href="https://pki1.example.org:30042/ca/rest/profiles/caManualRenewal" rel="self"/> </Profile>
How do we specify the serial Number to the profile ?
I tried doing below by adding <value> tag under <Attribute name="serial_num"> as specified below:
<Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Descriptor> <Syntax>string</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> <value>53</value> </Attribute> </Input>
But i am unable to submit after doing the above modification, it fails with below error:
# pki -d /opt/rhqa_pki/certs_db/ -c Secret123 -n "ROOTCA_agentV" -h pki1.example.org -p 30044 cert-request-submit /tmp/myoutput2.xml Error: unexpected element (uri:"", local:"Profile"). Expected elements are <{}Attribute>,<{}CertEnrollmentRequest>,<{}Input>,<{}descriptor>,<{}profileOutput>
Please provide the method to submit renewal request using cli?
The request template has not changed. As end-entity, the request template can be obtained using the following command:
$ pki cert-request-profile-show caManualRenewal --output caManualRenewal.request
It generates the following request template:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <ProfileID>caManualRenewal</ProfileID> <Renewal>true</Renewal> <SerialNumber></SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> <Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Value></Value> <Descriptor> <Syntax>string</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input> </CertEnrollmentRequest>
The request template can be used to create a request by adding the serial number to either <SerialNumber> element or <Value> element under serial_num" attribute.
The request can be submitted using the following command:
$ pki ... cert-request-submit caManualRenewal.request
As admin, the request can be approved using the following command:
$ pki ... cert-request-review <request ID> --action approve
Separately, as admin the profile configuration can be obtained using the following command:
$ pki ... ca-profile-show caManualRenewal --output caManualRenewal.profile
The profile configuration contains the <Profile> element:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal"> <classId>caEnrollImpl</classId> <name>Renewal: Renew certificate to be manually approved by agents</name> <description>This certificate profile is for renewing certificates to be approved manually by agents.</description> ... </Profile>
The profile configuration cannot be used to submit renewal request. The status of this ticket has been restored to resolved as fixed. No additional change is necessary at this point.
Version: pki-ca-10.2.6-10.el7pki.noarch
caManualRenewal profile doesn't work
pki -d /opt/rhqa_pki/certdb/ -c 'Secret123' -h pki2.example.org -p 8080 -n "FoobarCA Admin" ca-profile-show caManualRenewal --output /tmp/caManualRenewal.xml Profile "caManualRenewal" ------------------------- --------------------------------------------------------- Saved profile caManualRenewal to /tmp/caManualRenewal.xml ---------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caManualRenewal"> <classId>caEnrollImpl</classId> <name>Renewal: Renew certificate to be manually approved by agents</name> <description>This certificate profile is for renewing certificates to be approved manually by agents.</description> <enabled>true</enabled> <visible>true</visible> <enabledBy>admin</enabledBy> <authenticatorId></authenticatorId> <authzAcl></authzAcl> <renewal>false</renewal> <xmlOutput>false</xmlOutput> <Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Attribute name="serial_num"> <Descriptor> <Syntax>string</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input> <Output id="o1"> <name>Certificate Output</name> <classId>certOutputImpl</classId> <attributes name="pretty_cert"> <Descriptor> <Syntax>pretty_print</Syntax> <Description>Certificate Pretty Print</Description> </Descriptor> </attributes> <attributes name="b64_cert"> <Descriptor> <Syntax>pretty_print</Syntax> <Description>Certificate Base-64 Encoded</Description> </Descriptor> </attributes> </Output> <PolicySets/> <link href="https://pki2.example.org:8443/ca/rest/profiles/caManualRenewal" rel="self"/> </Profile>
The above profile doesn't have the <Value> or <SerialNumber> element. After adding the element
<Input id="i1"> <ClassID>serialNumRenewInputImpl</ClassID> <Name>Serial Number of Certificate to Renew</Name> <Value>40</Value> <Attribute name="serial_num"> <Descriptor> <Syntax>string</Syntax> <Description>Serial Number of Certificate to Renew</Description> </Descriptor> </Attribute> </Input>
And submitting the request, it fails with below error:
[root@pki2 profile]# pki -d /opt/rhqa_pki/certdb/ -c 'Secret123' -h pki2.example.org -p 8080 -n "FoobarCA Admin" cert-request-submit /tmp/caManualRenewal.xml UnmarshalException: unexpected element (uri:"", local:"Profile"). Expected elements are <{}AsymKeyGenerationRequest>,<{}Attribute>,<{}CertEnrollmentRequest>,<{}Input>,<{}KeyArchivalRequest>,<{}KeyRecoveryRequest>,<{}PKIException>,<{}ResourceMessage>,<{}SymKeyGenerationRequest>,<{}descriptor>,<{}profileOutput>
I used the wrong cli, instead of using cert-request-profile-show, i used ca-profile-show . using cert-request-profile-show, i am able to submit the request
Apparently the serial number has to be specified in the <SerialNumber> element instead of the input <Attribute name="serial_num"> element, and it has to be specified in decimal number. I have updated the wiki page:
http://pki.fedoraproject.org/wiki/Certificate_Renewal
I think the code can be fixed to be more user-friendly. It should accept the serial number specified in either location, and it should accept hexadecimal number as well.
Fixed in master:
The <!SerialNumber> element was removed from the template, but it's still functional, the element can be re-added to the template to specify the serial number of the certificate to be renewed. This element and some other elements will be deprecated in ticket #1649.
Metadata Update from @mrniranjan: - Issue assigned to edewata - Issue set to the milestone: 10.3.2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1565
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.