Hide Forgot
This feature must be available since v10.6.8 Steps for verification: ======================= 1. Install CA, KRA 2. Renew ca-admin beyond system cert's expiration date 3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown) 4. Change the system date beyond system cert's expiration date 5. Run `pki-server cert-fix --cert <cert_id> # To renew 1 cert OR Run `pki-server cert-fix` # To renew ALL certs 6. Check whether the PKI server is up NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system To import admin cert into client NSS DB and LDAP, you can refer the upstream docs: https://www.dogtagpki.org/wiki/PKI_Client_CLI https://www.dogtagpki.org/wiki/PKI_User_Certificate_CLI
Fix is seen. Verified using [root@pki test]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.0 Beta (Ootpa) [root@pki test]# rpm -qa | grep pki pki-base-10.6.9-2.module+el8+2728+a4ad6bba.noarch pki-base-java-10.6.9-2.module+el8+2728+a4ad6bba.noarch pki-servlet-container-9.0.7-13.module+el8+2468+c564cec5.noarch python3-pki-10.6.9-2.module+el8+2728+a4ad6bba.noarch pki-symkey-10.6.9-2.module+el8+2728+a4ad6bba.x86_64 pki-tools-10.6.9-2.module+el8+2728+a4ad6bba.x86_64 pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch pki-servlet-4.0-api-9.0.7-13.module+el8+2468+c564cec5.noarch pki-server-10.6.9-2.module+el8+2728+a4ad6bba.noarch
Created attachment 1536592 [details] Verified Steps
Marking the bug as VERIFIED as per comment #7 and #8.
Corner cases identified: ======================== 1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request. Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378 We can modify the code to accept a port number via `-p <port>` option. 2. While running the `cert-fix` tool, we saw the following error. ```` [root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),)) ```` This error was seen only when `Root CA signing` cert was imported into the client NSS db.
To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480
*** Bug 1403016 has been marked as a duplicate of this bug. ***