Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pki-server cert-fix operation shows no output except deprecation warnings #4949

Open
taherrin opened this issue Feb 3, 2025 · 0 comments
Open

pki-server cert-fix operation shows no output except deprecation warnings #4949

taherrin opened this issue Feb 3, 2025 · 0 comments

Comments

@taherrin
Copy link

taherrin commented Feb 3, 2025
edited
Loading

Summary:

When using pki-server cert-fix command, the output no longer shows the status of the cert fix operation

Build:

OS: fedora-41
Build: dogtag-pki-11.6.0-0.3.alpha3.20250131152214UTC.0a88a9be.fc41.x86_64
COPR: @pki/master

Steps to reproduce:

  1. Install dogtag-pki packages
  2. Install DS & CA
  3. Run pki-server cert-fix command:
# pki-server cert-fix --ldap-url ldap://pki1.example.com:389 --agent-uid caadmin -i topology-00-CA -p 20443

Expected Result:

The output should show the status of the cert-fix operation

# pki-server --help
INFO: Loading instance type: pki-tomcatd
INFO: Loading instance: topology-00-CA
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /var/lib/pki/topology-00-CA/conf/tomcat.conf
INFO: Loading password config: /var/lib/pki/topology-00-CA/conf/password.conf
INFO: Loading subsystem config: /var/lib/pki/topology-00-CA/conf/ca/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/topology-00-CA/conf/ca/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/topology-00-CA/topology-00-CA
INFO: Fixing the following system certs: ['ca_ocsp_signing', 'sslserver', 'subsystem', 'ca_audit_signing']
INFO: Renewing the following additional certs: []
Enter Directory Manager password: 
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP connection for CA
INFO: Storing subsystem config: /var/lib/pki/topology-00-CA/conf/ca/CS.cfg
INFO: Storing registry config: /var/lib/pki/topology-00-CA/conf/ca/registry.cfg
INFO: Setting selftests.container.order.startup to CAPresence, SystemCertsVerification
INFO: Storing subsystem config: /var/lib/pki/topology-00-CA/conf/ca/CS.cfg
INFO: Storing registry config: /var/lib/pki/topology-00-CA/conf/ca/registry.cfg
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=caadmin,ou=people,o=topology-00-CA-CA
INFO: Creating a temporary sslserver cert
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: SKI: 0x6777E55975A58250971D0A91DCC88408F85C5097
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: Creating AKID extension:
INFO: - keyid
INFO: - AKID: 0x6777e55975a58250971d0a91dcc88408f85c5097
INFO: Creating key usage extension:
INFO: - critical
INFO: - digitalSignature
INFO: - nonRepudiation
INFO: - keyEncipherment
INFO: - dataEncipherment
INFO: Creating extended key usage extension:
INFO: - serverAuth
INFO: Temp cert for sslserver is available at /var/lib/pki/topology-00-CA/conf/certs/sslserver.crt.
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: NSSDatabase: Importing cert Server-Cert cert-topology-00-CA into Internal Key Storage Token
INFO: Starting the instance
INFO: Sleeping for 10 seconds to allow server time to start...
INFO: Requesting new cert for ca_ocsp_signing
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 278373290198096421295102290526709575295
INFO: Request ID: 84086684423735707200951288362975952505
INFO: Request Status: complete
INFO: Serial Number: 0xf6c12eafc64ff089c6bfccdab12f9527
INFO: Issuer: CN=CA Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: Subject: CN=CA OCSP Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: New cert is available at: /var/lib/pki/topology-00-CA/conf/certs/ca_ocsp_signing.crt
INFO: Requesting new cert for sslserver
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 281408239077615326066274605522303057409
INFO: Request ID: 206077800539468764439139295278403649870
INFO: Request Status: complete
INFO: Serial Number: 0x27da67338993f5e105fe1a0696523515
INFO: Issuer: CN=CA Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: Subject: CN=pki1.example.com,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: New cert is available at: /var/lib/pki/topology-00-CA/conf/certs/sslserver.crt
INFO: Requesting new cert for subsystem
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 105547520523090159906889705393629022693
INFO: Request ID: 168601289268192895280018314915886530806
INFO: Request Status: complete
INFO: Serial Number: 0xea0eab582303d224c73e8295d770936a
INFO: Issuer: CN=CA Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: Subject: CN=Subsystem Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: New cert is available at: /var/lib/pki/topology-00-CA/conf/certs/subsystem.crt
INFO: Requesting new cert for ca_audit_signing
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 10597335687972365775415769547024874632
INFO: Request ID: 71453930562412349778579347789824850258
INFO: Request Status: complete
INFO: Serial Number: 0xab90f43dd6eade3edd2e4603b80e2745
INFO: Issuer: CN=CA Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: Subject: CN=CA Audit Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
INFO: New cert is available at: /var/lib/pki/topology-00-CA/conf/certs/ca_audit_signing.crt
INFO: Stopping the instance
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: NSSDatabase: Importing cert ocspSigningCert cert-topology-00-CA CA into Internal Key Storage Token
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: NSSDatabase: Importing cert Server-Cert cert-topology-00-CA into Internal Key Storage Token
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: NSSDatabase: Importing cert subsystemCert cert-topology-00-CA into Internal Key Storage Token
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: NSSDatabase: Importing cert auditSigningCert cert-topology-00-CA CA into Internal Key Storage Token
INFO: Importing new subsystem cert into uid=pkidbuser,ou=people,o=topology-00-CA-CA
modifying entry "uid=pkidbuser,ou=people,o=topology-00-CA-CA"

INFO: Setting selftests.container.order.startup to CAPresence:critical, SystemCertsVerification:critical
INFO: Storing subsystem config: /var/lib/pki/topology-00-CA/conf/ca/CS.cfg
INFO: Storing registry config: /var/lib/pki/topology-00-CA/conf/ca/registry.cfg
INFO: Selftests enabled for subsystems: ca
INFO: Restoring LDAP connection for CA
INFO: Storing subsystem config: /var/lib/pki/topology-00-CA/conf/ca/CS.cfg
INFO: Storing registry config: /var/lib/pki/topology-00-CA/conf/ca/registry.cfg
INFO: Starting the instance with renewed certs

Actual Result:

Cert-fix output displays mostly deprecation warnings. even with --debug option:

# pki-server -v --debug cert-fix --ldap-url ldap://pki1.example.com:389 --agent-uid caadmin -i topology-00-CA -p 20443
Enter Directory Manager password: 
WARNING: No selftests configured in /var/lib/pki/topology-00-CA/conf/ca/CS.cfg (selftests.container.order.startup).
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1649: The PKIConnection parameter in AccountClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1789: The PKIConnection parameter in CertClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1649: The PKIConnection parameter in AccountClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1789: The PKIConnection parameter in CertClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1649: The PKIConnection parameter in AccountClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1789: The PKIConnection parameter in CertClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1649: The PKIConnection parameter in AccountClient.__init__() has been deprecated. Provide PKIClient instead.
WARNING: /usr/lib/python3.13/site-packages/pki/server/__init__.py:1789: The PKIConnection parameter in CertClient.__init__() has been deprecated. Provide PKIClient instead.
modifying entry "uid=pkidbuser,ou=people,o=topology-00-CA-CA"
@taherrin taherrin changed the title pki-server cert-fix operation shows no output except depreciation warnings pki-server cert-fix operation shows no output except deprecation warnings Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@taherrin