Hide Forgot
Description of problem: The package pki-tools available from RHEL7 repo rhel-7-server-rhcmsys-9-rpms is only in version 10.2.6-8.el7pki, but it doesn't work because it does not support option to authenticate (--username and --password) in the cert-request-submit module, so the server replies with Unauthorized status and fails. On Fedora 23 with version 10.2.6-16.fc23 it works fine. The solution would be to make a newer version of pki-tools available in RHEL7 repos. Thanks. Version-Release number of selected component (if applicable): pki-tools-10.2.6-8.el7pki.x86_64 How reproducible: Run 'pki -v -C ~/.pki.password -U server_URL cert-request-submit user.xml --username $USERNAME --password' where user.xml is the certificate request to be signed. Steps to Reproduce: 1. Run 'pki -v -C ~/.pki.password -U server_URL cert-request-submit user.xml --username $USERNAME --password' Actual results: Get an error response from server: Server URI: server_URI Client security database: /home/username/.dogtag/nssdb Message format: null Command: cert-request-submit request.xml --username username --password Initializing client security database Logging into security token Module: cert Module: request-submit Error: Unrecognized option: --username usage: cert-request-submit <filename> [OPTIONS...] --help Show help options Expected results: Get this status: ----------------------------- Submitted certificate request ----------------------------- and then receive a confirmation email. Additional info:
Changed back to POST per CS Bug Triage of 04/19/2016.
Setup: ------ 1. Create template of existing profile. pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-profile-show caDirUserCert --output user1.xml pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-profile-show caUserCert --output user.xml 2. Create key/csr request. openssl genrsa 4096 > test.key openssl req -new -key test.key -out test.csr 3. Include below mentioned fiels in the templates of profile i.e user.xml and user1.xml (Attached copy of both xml for future use) user.xml: cert_request_type = pkcs10 cert_request = your copied CSR output subject = User1.xml: cert_request_type = pkcs10 cert_request = your copied CSR output sn_cert_name = the custom name that got you into this mess to begin with 4. Create ldap users so that it can be verified using username/password. dn: uid=ldapuser2,ou=people,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid:ldapuser2 cn: Test User sn: User givenName: Test userPassword: Secret123%_test 5. Edit ca CS.cfg. Stop the CA seive first using systemctl stop pki-tomcatd -- Edit below entries in CS.cfg auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=org auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki1.example.com auths.instance.UserDirEnrollment.ldap.ldapconn.port=3389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth -- start CA service .systemctl start pki-tomcatd 6. output should say : Valid Ldap entry: ----------------- pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_test Password: ----------------------------- Submitted certificate request ----------------------------- Request ID: 79 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x43 Test Case 1: For valid ldapuser entry ------------- [root@pki1 test_dir]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_test Password: ----------------------------- Submitted certificate request ----------------------------- Request ID: 79 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x43 Test Case 2: Invalid ldap user entry ------------ [root@pki1 test_dir]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt Password: UnauthorizedException: Invalid Credential Test Case 3: Remove LDAP setting added in step 5. Make sure no more authentication happens now. ----------- pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt Password: PKIException: Property auths.instance.UserDirEnrollment.ldap.ldapconn.host missing value Test Case 4: Lif LDAP instance is not reachable/down ------------ pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt Password: PKIException: Could not connect to LDAP server host pki1.example.com port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://pki1.example.com:389 (91) Reference: https://mojo.redhat.com/docs/DOC-959077 http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles
Created attachment 1182446 [details] Xml_files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html