[MAN] pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any #2409

pki-bot · 2020-10-03T01:15:52Z

This issue was migrated from Pagure Issue #2289. Originally filed by jpazdziora on 2016-04-20 23:23:57:

Closed as None
Assigned to edewata (@edewata)
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1399862
- https://bugzilla.redhat.com/show_bug.cgi?id=1316653

The man pki-cert(1) says:

   Then, fill in the values in the XML file and  submit  the
   request  for review.  This can be done without authentication.

   pki ca-cert-request-submit <request file>

Attempt to do that fails.

Steps to Reproduce:

1. Install and configure FreeIPA/IdM server.
2. Run pki ca-cert-request-profile-find
3. Run pki ca-cert-request-profile-show caInstallCACert --output template.xml
4. Run pki ca-cert-request-submit template.xml ; echo $?

Actual results:

UnauthorizedException: AuthCredentials.set()
255

Expected results:

No error, exit status 0, and the CSR submitted.

Additional Info:

Refer to https://bugzilla.redhat.com/show_bug.cgi?id=1316653 for more details.

The text was updated successfully, but these errors were encountered:

pki-bot · 2020-10-03T01:15:53Z

Comment from mharmsen (@mharmsen) at 2016-04-20 23:31:35

Per CS Triage held on 4/19/2016: 10.3.0 or 10.3.1

pki-bot · 2020-10-03T01:15:54Z

Comment from edewata (@edewata) at 2016-04-22 10:33:47

The man page is inaccurate and should be fixed. Some profiles actually do require authentication:
http://pki.fedoraproject.org/wiki/Certificate_Profiles

The caInstallCACert is an internal profile used during PKI server installation. Also, it requires token authentication which is currently not supported by the pki CLI. A more general profile for CA certificates is probably the caCACert which does not require authentication.