Some time ago ACME on my FreeIPA installation stopped working. Certificate issuance is not working (ACME agent reports 404) and `ipa-acme-manage` fails to authenticate: $ ipa-acme-manage status Failed to authenticate to CA REST API The ipa-acme-manage command failed. With more debug: $ ipa-acme-manage -d status ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-PIPEBREAKER-PL.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f4bd2cc2660> ipaserver.masters: DEBUG: Discovery: available servers for service 'CA' are kaitain.pipebreaker.pl ipaserver.masters: DEBUG: Discovery: using kaitain.pipebreaker.pl for 'CA' service ipapython.dogtag: DEBUG: request POST https://kaitain.pipebreaker.pl:8443/acme/login ipapython.dogtag: DEBUG: request body '' ipapython.dogtag: DEBUG: response status 404 At this time, /var/log/pki/pki-tomcat/localhost_access_log registers: [06/Mar/2025:14:06:40 +0100] "POST /acme/login HTTP/1.1" 404 765 Further verification with curl: $ curl https://kaitain.pipebreaker.pl:8443/acme/login <!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title> I've noticed there's a rewrite.config file at /usr/share/pki/server/conf/Catalina/localhost/rewrite.config, defining a number of mapping of /acme/* to /acme/rest/*. Indeed, when I try to access the second kind of URL with curl, it somewhat works: $ curl https://kaitain.pipebreaker.pl:8443/acme/rest/login $ # no output -> no error Access log: - [06/Mar/2025:14:10:21 +0100] "GET /acme/rest/login HTTP/1.1" 204 - My suspicion is that rules defined in rewrite.config do not work. How to proceed with debugging now? Reproducible: Always $ rpm -qf /usr/share/pki/server/conf/Catalina/localhost/rewrite.config dogtag-pki-server-11.5.0-3.fc41.2.noarch freeipa-server-4.12.2-8.fc41.x86_64
The file seem to come from upstream https://github.com/dogtagpki/pki/commit/994d932100c7d335752fe817a7d8757f62439b08
Move to dogtag-pki, as it is purely within the dogtag.
After some code reading, I got it working (I think? `ipa-acme-status` works, I'll see if any of my certificates will be issued). What I did: 1. Symlinked /usr/share/pki/server/conf/Catalina/localhost/rewrite.config to /etc/pki/pki-tomcat/Catalina/localhost/rewrite.config 2. Edited /etc/pki/pki-tomcat/server.xml and added in line 133 (almost at the end): <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/> Were the steps correct? Should it be done during FreeIPA upgrade?
Certificates got reissured to acme clients.
This configuration file was added to dogtag in v11.3 to provide support for the EST protocol in f95df455c5f062ef024b91f5bfc95d919c91cfb7 . The commit message explicitly says that this configuration is not added on upgrade. The acme rewrite rules were add in v11.5 in 994d932100c So any version of PKI installed prior to v11.3 will not have rewrite.config enabled which is the root cause of the missing rules. IMHO this upgrade to add the missing file and config needs to be managed by PKI as it will affect all older PKI deployments whether they use IPA or not.
Thanks for the investigation. I suppose the issue can be reproduced in plain PKI instance with these steps: 1. Install PKI 11.2 or older 2. Create CA instance 3. Upgrade to the latest PKI version 4. Deploy ACME or EST in the same instance 5. Access ACME or EST services Expected result: ACME and EST services should work.
https://github.com/dogtagpki/pki/pull/5101
Fixed upstream: * v11.6 branch: https://github.com/dogtagpki/pki/commit/a0671f2c9e7385447c80f58d49ca06646811b975 * master branch (PKI 11.7): https://github.com/dogtagpki/pki/commit/17a44731c7d6aa2888ae8e700149712351fe081c
Tested on fedora-42 COPR build: # cat /etc/fedora-release Fedora release 42 (Adams) # rpm -qa | grep -e pki -e jss -e jackson -e resteasy | sort dogtag-jss-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64 dogtag-jss-tomcat-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64 dogtag-pki-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.x86_64 dogtag-pki-acme-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-base-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-ca-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-est-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-java-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-javadoc-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-kra-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-ocsp-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-server-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-tests-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-theme-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-tks-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch dogtag-pki-tools-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.x86_64 dogtag-pki-tps-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch jackson-annotations-2.18.2-2.fc42.noarch jackson-core-2.18.2-2.fc42.noarch jackson-databind-2.18.2-2.fc42.noarch jackson-jaxrs-json-provider-2.18.2-2.fc42.noarch jackson-jaxrs-providers-2.18.2-2.fc42.noarch jackson-module-jaxb-annotations-2.18.2-2.fc42.noarch pki-resteasy-3.0.26-32.fc42.noarch pki-resteasy-client-3.0.26-32.fc42.noarch pki-resteasy-core-3.0.26-32.fc42.noarch pki-resteasy-jackson2-provider-3.0.26-32.fc42.noarch pki-resteasy-servlet-initializer-3.0.26-32.fc42.noarch python3-dogtag-pki-11.8.0-0.1.beta1.20250701010733UTC.db2e7fc3.fc42.noarch Test scenario: comment 6 Result: 1. Setup fedora-37 and install PKI-11.2 packages 2. Install CA and stop the instance 3. Upgraded the fedora from 37 to 42 as per this flow: 37->39->41->42 4. enable the COPR (dnf copr enable @pki/master) on fedora-42 and ran 'dnf update' and here it update the package to latest PKI-11.8 (COPR), reboot the VM 5. Start the CA instance 6. Search for rewrite.config file: # find / -name rewrite.config /etc/pki/pki-tomcat/Catalina/localhost/rewrite.config /usr/share/pki/server/conf/Catalina/localhost/rewrite.config 6. Deploy EST and ACME EST: INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/est/manifest INFO: Creating /var/lib/pki/pki-tomcat/logs/est/archive/spawn_manifest.20250701180341 INFO: Copying /etc/sysconfig/pki/tomcat/pki-tomcat/est/manifest to /var/lib/pki/pki-tomcat/logs/est/archive/spawn_manifest.20250701180341 ========================================================================== INSTALLATION SUMMARY ========================================================================== The URL for the subsystem is: https://pki1.example.com:8443/.well-known/est ========================================================================== # cat /usr/share/pki/est/bin/estauthz #!/usr/bin/python3 import json, sys ALLOWED_ROLE = 'EST Users' obj = json.loads(sys.stdin.read()) if not ALLOWED_ROLE in obj['authzData']['principal']['roles']: print(f'Principal does not have required role {ALLOWED_ROLE!r}') sys.exit(1) # cat /etc/pki/pki-tomcat/est/backend.conf class=org.dogtagpki.est.DogtagRABackend password=password profile=estServiceCert url=https://pki1.example.com:8443 username=est-ra-1 # cat /etc/pki/pki-tomcat/est/realm.conf authType=BasicAuth bindDN=cn=Directory Manager bindPassword=password class=com.netscape.cms.realm.PKILDAPRealm groupsDN=ou=groups,dc=est,dc=pki,dc=example,dc=com url=ldap://pki1.example.com:4389 usersDN=ou=people,dc=est,dc=pki,dc=example,dc=com # ldapadd -x -H ldap://pki1.example.com:4389 -D "cn=Directory Manager" -w password -f ldap.cfg adding new entry "uid=prisingh,ou=people,dc=est,dc=pki,dc=example,dc=com" # ldapmodify -x -H ldap://pki1.example.com:4389 -D "cn=Directory Manager" -w password -f add_user_to_group.cfg modifying entry "cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com" # ldapsearch -x -H ldap://pki1.example.com:4389 -D "cn=Directory Manager" -w password -b 'dc=example,dc=com' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: domain dc: example ... ... # people, est.pki.example.com dn: ou=people,dc=est,dc=pki,dc=example,dc=com ou: people objectClass: top objectClass: organizationalUnit # groups, est.pki.example.com dn: ou=groups,dc=est,dc=pki,dc=example,dc=com ou: groups objectClass: top objectClass: organizationalUnit # EST Users, groups, est.pki.example.com dn: cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: EST Users description: Users enabled to enroll certificate uniqueMember: uid=prisingh,ou=people,dc=est,dc=pki,dc=example,dc=com # prisingh, people, est.pki.example.com dn: uid=prisingh,ou=people,dc=est,dc=pki,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: prisingh sn: prisingh uid: prisingh userPassword:: <Base64ofpassword> # search result search: 2 result: 0 Success ------------------------------ Certificate enrollment: ------------------------------ # pki nss-cert-request --csr testServer.csr --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=prisingh' # openssl req -in testServer.csr -outform der | openssl base64 -out testServer.p10 # curl --cacert ./ca_signing.crt --anyauth -u prisingh:password --data-binary @testServer.p10 -H "Content-Type: application/pkcs10" -o newCert.p7 https://pki1.example.com:8443/.well-known/est/simpleenroll % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1654 100 687 100 967 66216 93204 --:--:-- --:--:-- --:--:-- 161k 100 2389 100 1422 100 967 1450 986 --:--:-- --:--:-- --:--:-- 0 # openssl base64 -d -in newCert.p7 | openssl pkcs7 -inform der -print_certs | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: O=example.com Security Domain, OU=pki-tomcat, CN=CA Signing Certificate Validity Not Before: Jul 1 18:11:21 2025 GMT Not After : Sep 29 18:11:21 2025 GMT Subject: CN=prisingh Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:d1:1e:e7:cd:cd:96:54:51:29:e3:9d:7e:4a: c0:fa:fe:08:1f:da:9e:e2:61:af:d6:55:ee:e1:ba: c9:6b:ba:19:0c:54:f0:4a:1e:0b:cd:70:4f:61:02: 93:1c:0c:95:95:3f:89:2d:7b:2e:af:fa:92:68:c7: 0d:f9:aa:88:7d:2f:15:0e:ad:46:47:2a:d3:0e:9f: d3:17:66:dc:f4:5e:96:b0:c5:8e:e8:c6:1e:98:2e: da:f2:3c:9a:6e:9d:ea:5d:09:bd:b3:84:30:a7:2e: c8:43:4a:48:50:40:c5:49:a4:99:8b:7c:d9:b7:b2: a5:5c:33:eb:95:81:87:2f:3c:b0:3b:42:9d:42:15: 05:14:c6:65:c2:fa:25:66:d1:a8:d1:fb:97:6b:a2: 32:a1:b2:93:b4:71:2e:67:be:aa:2e:af:ae:7f:9c: f3:34:b3:55:e9:3f:f5:d4:93:d2:98:f9:4b:31:06: 93:0d:dc:6b:ea:79:11:0c:27:94:da:ea:49:e3:df: 97:90:11:34:46:b2:b7:35:6b:03:c0:78:d5:90:3b: fe:d3:b0:b2:2c:e6:3b:a3:a6:74:f4:e2:9a:ea:c9: 02:6a:c0:a0:cd:80:94:3b:15:e9:4a:17:60:ce:10: c3:46:24:38:c5:ff:6b:7a:27:ce:04:3e:d7:8b:88: 47:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: 11:51:66:F2:6E:0E:64:53:9A:E8:A0:A9:65:3A:29:DF:C2:BC:07:47 X509v3 Authority Key Identifier: 98:45:79:FA:77:AD:5A:5F:79:32:3C:28:AA:6F:FE:D5:08:C5:CD:04 Signature Algorithm: sha256WithRSAEncryption Signature Value: cb:03:93:62:ef:aa:ba:d4:3e:57:66:d5:62:24:c7:d1:b0:91: 9f:84:00:7c:c1:91:c4:48:58:cf:56:82:64:83:eb:f7:4d:2b: 57:7e:ab:2f:a9:c7:aa:5a:ce:9b:3d:51:11:75:7c:00:c9:6e: 32:1d:74:bd:04:98:3f:a4:21:53:26:00:47:ba:66:a5:64:c4: df:cb:7d:5b:7d:88:d3:a6:c3:62:3b:98:58:b0:ad:7e:d9:9f: 78:a2:24:e4:a5:1a:63:18:4e:d8:ed:dc:76:95:e5:f4:44:6f: 7b:e7:d2:cf:6a:58:d9:c5:21:bf:3f:7f:a8:74:2b:20:80:db: 25:df:09:13:1d:b3:17:48:97:0c:41:e2:51:f8:aa:0a:e3:ed: 4c:58:20:89:e2:39:aa:22:4c:e9:4b:02:45:39:10:3a:0b:30: b1:ac:6d:f4:2e:04:b6:f9:94:84:e6:ce:8e:6b:91:b5:90:41: 0e:0d:f7:b7:a9:c3:97:44:85:c1:d7:0e:fb:4e:9d:37:92:94: b6:28:ae:91:51:41:68:a2:64:c5:8e:84:e7:2e:dd:4d:63:f6: a0:9c:aa:4c:5c:9b:df:3c:33:45:4c:67:bf:43:cb:45:c8:97: 4d:d2:9b:ee:6f:36:54:97:9d:8b:6f:2e:47:d3:1a:cb:90:2d: 34:a4:d0:32:2b:05:54:d2:29:03:07:33:ac:5f:20:cf:6d:92: cd:b5:03:65:df:b1:4f:eb:d2:ab:31:03:b7:9a:ec:1c:e2:dc: fd:d6:4e:26:4f:eb:3a:85:9c:6f:a7:74:e2:95:da:3b:99:41: d0:fc:0e:d1:6d:7b:59:4c:0f:2a:e1:c2:ee:40:50:99:92:cf: 94:3f:bb:1d:61:0d:33:27:34:50:f3:3d:bc:32:ee:60:d7:4a: 08:42:24:3a:3a:17:e6:32:93:8b:93:6b:3a:11:e4:fd:76:2b: 72:6b:90:19:e4:88:17:68:36:44:90:b9:a9:c4:4a:2d:ba:c1: 85:4e:aa:af:72:76 With wrong credential: # pki nss-cert-request --csr testServer.csr --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=prisingh' [root@pki1 fedora]# openssl req -in testServer.csr -outform der | openssl base64 -out testServer.p10 [root@pki1 fedora]# curl --cacert ./ca_signing.crt --anyauth -u prisingh:wrongpassword --data-binary @testServer.p10 -H "Content-Type: application/pkcs10" -o newCert.p7 https://pki1.example.com:8443/.well-known/est/simpleenroll % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1654 100 687 100 967 52899 74459 --:--:-- --:--:-- --:--:-- 134k 100 1654 100 687 100 967 44420 62524 --:--:-- --:--:-- --:--:-- 104k [root@pki1 fedora]# cat newCert.p7 <!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The request has not been applied to the target resource because it lacks valid authentication credentials for that resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.105</h3></body></html>[root@pki1 fedora]# ---------------------------------------------------------- ACME: DEBUG: Starting new HTTPS connection (1): pki1.example.com:8443 DEBUG: https://pki1.example.com:8443 "GET /acme/ HTTP/1.1" 200 3208 INFO: acme web application started INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/acme/deployment.cfg INFO: Creating /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_deployment.cfg.20250703162028 INFO: Copying /etc/sysconfig/pki/tomcat/pki-tomcat/acme/deployment.cfg to /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_deployment.cfg.20250703162028 DEBUG: Command: mkdir /var/lib/pki/pki-tomcat/logs/acme/archive DEBUG: Command: cp /etc/sysconfig/pki/tomcat/pki-tomcat/acme/deployment.cfg /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_deployment.cfg.20250703162028 INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/acme/manifest INFO: Creating /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_manifest.20250703162028 INFO: Copying /etc/sysconfig/pki/tomcat/pki-tomcat/acme/manifest to /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_manifest.20250703162028 DEBUG: Command: cp /etc/sysconfig/pki/tomcat/pki-tomcat/acme/manifest /var/lib/pki/pki-tomcat/logs/acme/archive/spawn_manifest.20250703162028 ========================================================================== INSTALLATION SUMMARY ========================================================================== The URL for the subsystem is: https://pki1.example.com:8443/acme ========================================================================== # cat /etc/pki/pki-tomcat/acme/database.conf authType=BasicAuth baseDN=dc=acme,dc=pki,dc=example,dc=com bindDN=cn=Directory Manager bindPassword=password class=org.dogtagpki.acme.database.DSDatabase url=ldap://pki1.example.com:389 # cat /etc/pki/pki-tomcat/acme/issuer.conf class=org.dogtagpki.acme.issuer.PKIIssuer password=password profile=acmeServerCert url=https://pki1.example.com:8443 username=caadmin # cat /etc/pki/pki-tomcat/acme/realm.conf authType=BasicAuth bindDN=cn=Directory Manager bindPassword=password class=org.dogtagpki.acme.realm.DSRealm groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com url=ldap://pki1.example.com:389 usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com # pki acme-info Status: Available Terms of Service: https://www.example.com/acme/tos.pdf Website: https://www.example.com CAA Identities: example.com External Account Required: false # pki ca-cert-find --------------- 6 entries found --------------- ... ------------------------------ Create ACME account: ------------------------------ # certbot register --server http://pki1.example.com:8080/acme/directory --email testuser --agree-tos --non-interactive Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. # ldapsearch -H ldap://pki1.example.com:389 -D "cn=Directory Manager" -w password -b ou=accounts,dc=acme,dc=pki,dc=example,dc=com -s one -o ldif_wrap=no -LLL dn: acmeAccountId=_8lZ3sbJGbfR89vtHmbXr75akJMryXviFsuG0fSVkBE,ou=accounts,dc=acme,dc=pki,dc=example,dc=com objectClass: acmeAccount acmeAccountId: _8lZ3sbJGbfR89vtHmbXr75akJMryXviFsuG0fSVkBE acmeCreated: 20250703162536+0000 acmeAccountKey: {"e":"AQAB","kty":"RSA","n":"zkSxxiul_EUb8obD1cKxdk7EC253u1PVrFhkfOC6efqmy05bOw87fFXDSjGE1-TjAmYYpU8Y2CS_iTugh0zzzVvtv28LJWkF8icxLonIg2_KLtCT5NXK10PSpjUGd1oNm-G8kx6fBKi-I6CvnCRHVu1lLeRUkbEjexH22F7Vuj9zQ60iru6CAT4B9gOXWLznyR1f1A2uCCoEbJYKz3z9rOrfwYJM3zOAItKnOoOJ4sALA3LXYlocKmGjYCGXg0X-yHASIIMmZK5Q5YjFO7kEqddwYXGA584Tf9zY-9NBdeJWM_vzIJPpurA_NR0-_9F2DuDInhZhkD-rjLNnusCw-Q"} acmeStatus: valid acmeAccountContact: testuser ------------------------------ Certificate enrollment with HTTP-01: ------------------------------ # certbot certonly --standalone --server http://$HOSTNAME:8080/acme/directory -d pki1.example.com --preferred-challenges http --key-type rsa Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for pki1.example.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/pki1.example.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/pki1.example.com/privkey.pem This certificate expires on 2025-10-01. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # pki ca-cert-find --------------- 7 entries found --------------- Serial Number: 0x1 ... ... Serial Number: 0x7 Subject DN: CN=pki1.example.com Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: VALID Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Thu Jul 03 16:34:00 UTC 2025 Not Valid After: Wed Oct 01 16:34:00 UTC 2025 Issued On: Thu Jul 03 16:34:00 UTC 2025 Issued By: caadmin ---------------------------- Number of entries returned 7 ---------------------------- # pki ca-cert-show 0x7 --pretty Serial Number: 0x7 Subject DN: CN=pki1.example.com Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: VALID Not Valid Before: Thu Jul 03 16:34:00 UTC 2025 Not Valid After: Wed Oct 01 16:34:00 UTC 2025 Certificate: Data: Version: v3 Serial Number: 0x7 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate, OU=pki-tomcat, O=EXAMPLE Validity: Not Before: Thursday, July 3, 2025, 4:34:00 PM Coordinated Universal Time Etc/UTC Not After: Wednesday, October 1, 2025, 4:34:00 PM Coordinated Universal Time Etc/UTC Subject: CN=pki1.example.com Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: (2048 bits) : BB:D2:7E:E4:DA:D2:60:22:73:68:40:76:77:A9:9C:6D: ------------------------------ Certificate renewal: ------------------------------ # certbot renew --server http://$HOSTNAME:8080/acme/directory --cert-name pki1.example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/pki1.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/pki1.example.com/fullchain.pem expires on 2025-10-01 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Revoke a certificate: ------------------------------ [root@pki1 fedora]# certbot revoke --server http://$HOSTNAME:8080/acme/directory --cert-path /etc/letsencrypt/live/pki1.example.com/cert.pem Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you like to delete the certificate(s) you just revoked, along with all earlier and later versions of the certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es (recommended)/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificate(s) are selected for deletion: * pki1.example.com WARNING: Before continuing, ensure that the listed certificates are not being used by any installed server software (e.g. Apache, nginx, mail servers). Deleting a certificate that is still being used will cause the server software to stop working. See https://certbot.org/deleting-certs for information on deleting certificates safely. Are you sure you want to delete the above certificate(s)? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Deleted all files relating to certificate pki1.example.com. Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/pki1.example.com/cert.pem. # pki ca-cert-find --------------- 8 entries found --------------- ... ... Serial Number: 0x8 Subject DN: CN=pki1.example.com Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Status: REVOKED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Thu Jul 03 18:11:53 UTC 2025 Not Valid After: Wed Oct 01 18:11:53 UTC 2025 Issued On: Thu Jul 03 18:11:53 UTC 2025 Issued By: caadmin Revoked On: Thu Jul 03 18:13:36 UTC 2025 Revoked By: caadmin ---------------------------- Number of entries returned 8 ---------------------------- ------------------------------ Update an ACME account: ------------------------------ # certbot update_account --server http://$HOSTNAME:8080/acme/directory -m newemail Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Your e-mail address was updated to newemail. [root@pki1 fedora]# ldapsearch -H ldap://pki1.example.com:389 -D "cn=Directory Manager" -w password -b ou=accounts,dc=acme,dc=pki,dc=example,dc=com -s one -o ldif_wrap=no -LLL dn: acmeAccountId=_8lZ3sbJGbfR89vtHmbXr75akJMryXviFsuG0fSVkBE,ou=accounts,dc=acme,dc=pki,dc=example,dc=com objectClass: acmeAccount acmeAccountId: _8lZ3sbJGbfR89vtHmbXr75akJMryXviFsuG0fSVkBE acmeCreated: 20250703162536+0000 acmeAccountKey: {"e":"AQAB","kty":"RSA","n":"zkSxxiul_EUb8obD1cKxdk7EC253u1PVrFhkfOC6efqmy05bOw87fFXDSjGE1-TjAmYYpU8Y2CS_iTugh0zzzVvtv28LJWkF8icxLonIg2_KLtCT5NXK10PSpjUGd1oNm-G8kx6fBKi-I6CvnCRHVu1lLeRUkbEjexH22F7Vuj9zQ60iru6CAT4B9gOXWLznyR1f1A2uCCoEbJYKz3z9rOrfwYJM3zOAItKnOoOJ4sALA3LXYlocKmGjYCGXg0X-yHASIIMmZK5Q5YjFO7kEqddwYXGA584Tf9zY-9NBdeJWM_vzIJPpurA_NR0-_9F2DuDInhZhkD-rjLNnusCw-Q"} acmeStatus: valid acmeAccountContact: newemail ------------------------------ Deactive ACME account: ------------------------------ # certbot unregister --server http://$HOSTNAME:8080/acme/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Are you sure you would like to irrevocably deactivate your account? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (D)eactivate/(A)bort: D Account deactivated. # certbot show_account --server http://$HOSTNAME:8080/acme/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Could not find an existing account for server http://pki1.example.com:8080/acme/directory. ============================================== Hence, As per the simple tests, EST and ACME services both working as expected after an upgrade.
Filed an issue encountered while deploying EST on the upgraded PKI version: https://bugzilla.redhat.com/show_bug.cgi?id=2375332. This will be addressed separately.