DCM-tools icon indicating copy to clipboard operation
DCM-tools copied to clipboard

Published 20 hours ago verified publisher icon ThePrez

dcmrenew - what does it do?

Open richardm90 opened this issue 1 year ago • 8 comments

I've successfully been able to import my Let's Encrypt certificate into the *SYSTEM certificate store using the dcmimport command. I used the acme.sh to generate the certificate.

After renewing my certificate (using acme.sh) I thought the dcmrenew command would refresh the certificate in DCM but it doesn't appear to do.

The dcmrenew command expects one or more filenames and has a single optional parameter of -y. When I run the command and specify my renewed certificate filename it responds with null - nothing more. In fact it surprised me that it didn't have more parameters, for example the DCM password, so maybe it doesn't refresh the certificate in DCM.

What does the dcmrenew command do?

richardm90 avatar Jul 23 '23 19:07 richardm90

delegating to @tlhaze to explain what the renew action does, but it ultimately just calls the QycdRenewCertificate API documented here

The minimum release requirement for this API is IBM i 7.4. (sadly, the tool does not check for this and provide proper feedback)

If the command responds with just null that implies a programming error (even if the problem is that a better error message is needed). Can you run the command using -v on the command line and send in the results?

ThePrez avatar Aug 13 '23 22:08 ThePrez

Thanks @ThePrez , I'll take another look and feedback.

richardm90 avatar Aug 15 '23 08:08 richardm90

The API that is being used is QycdRenewCertificate.

The documentation has 3 formats for input. I suspect that the correct format to be used in dcmrenew would be format RNWC0300 which the only input is the IFS path and file name to the certificate file.

That will perform an import of the certificate replacing the already existing certificate in the certificate store which is assigned to your application definitions.

After the import/replace is complete, applications are notified of the certificate change.

tlhaze avatar Aug 15 '23 11:08 tlhaze

Many apologies for the delay in responding. I've tried renewing my test certificate again and still get the same result. When I enter the dcmrenew -v command I get the following so -v is not a valid option.

$ dcmrenew -v
ERROR: no input files specified
Usage: dcmrenew [[filename] ..]

    Valid options include:
        -y:                            Do not ask for confirmation

I forced a renewal of my certificate using acme.sh and then attempted to renew the certificate in DCM with the following command. I was not prompted to enter the DCM password.

$ dcmrenew /home/RICHARD/.acme.sh/mydomain/mydomain.cer
null

I have only just installed DCM-tools using the following command on a clean 7.5 machine.

yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.3.0/dcmtools-0.3.0-0.ibmi7.2.ppc64.rpm

I was able to successfully import my certificate using DCM-tools it's just the renew option I can't get to work.

richardm90 avatar Sep 25 '23 16:09 richardm90

To try and better understand how the dcmrenew command works I've tried using the the QycdRenewCertificate API directly, from an RPG program and I must confess I'm not much further forward.

What surprises me about both the dcmrenew command and the QycdRenewCertificate API is that neither ask for the keystore or password so I'm wondering if I don't understand what renew API does.

Here's what I'm trying to achieve, all in the PASE environment.

  1. Produce a Let's Encrypt certificate using the acme.sh script - done, I can generate a certificate in the IFS
  2. Convert my certificate to PKCS12 (PFX) format for import to DCM - done, using the openssl command
  3. Import the certificate (as a client/server certificate) to DCM using the dcmimport command - not possible, see issue #47. Note that I have been able to import the certificate (as a client/server certificate) using the QykmImportKeyStore API from an RPG program
  4. Renew my Let's Encrypt certificate using the acme.sh script - done, I can renew my certificate in the IFS
  5. Renew the DCM certificate using the dcmrenew command, not possible, as documented above

Is this how the dcmrenew command is intended to be used? i.e. can I use it to import a renewed certificate. If this was the case then I would have expected it to ask for the keystore and password, which makes me believe this isn't the intended use.

When I try using the QycdRenewCertificate API to renew my certificate in an RPG program using the RNWC0300 format, it fails with a message id of CPF3CF2 - "Error(s) occurred during running of qycu_checkForBase64Certificate : RC=79 API". A message is also sent to QSYSOPR "Software problem data for QYCUCTMGR has been logged. Refer to help text for additional information." and a problem raised with the symptom text of "5770 SP/QYCUCTMGR MOD/QYCUCTMGR RC18012000".

There is very little information out there for the QycdRenewCertificate API and certainly nothing relating to the qycu_checkForBase64Certificate procedure.

Just after a bit of clarification that what I'm trying to do should be possible.

richardm90 avatar Oct 24 '23 20:10 richardm90

@richardm90, When you get the certificate from the Let's Encrypt acme.sh script, is it an x.509 certificate file with Base64 encoding?
Or is it being converted to a PKCS#12 file? When using the QycdRenewCertificate API with format RNWC0300, the file being pointed to by parameter should be an x.509 Base64 certificate. The private key associated with that certificate already exists in the certificate store, so the API is simply replacing the old certificate with the new certificate in the *SYSTEM certificate store.

If you believe the file is a Base64 certificate, is it possible that the method used to upload to IFS caused the CCSID of the file to change resulting in something DCM import code is not recognizing as a Base64 file?

To verify the file is being stored correctly in IFS, use WRKLNK and display the file and ensure you see the content correctly and NOT seeing an "Incorrect CCSID" error at the bottom of the viewer.

tlhaze avatar Oct 25 '23 19:10 tlhaze

@tlhaze , thanks for the info, it gave me some new things to try.

Yes, my certificate is an X.509 Base64 encoded certificate that I can view via both the ACS IFS tool and WRKLNK.

Re: QycdRenewCertificate API

I have now managed to renew my certificate using the QycdRenewCertificate API with format RNWC0300 from an RPGLE program. The problem was CCSID.

The certificates were generated on the IBM i (within the PASE environment) so the files weren't transferred to the IFS. When generated the certificate files had a CCSID of 1208, which seemed pretty sensible to me. My IBM i server has a QCCSID value of 1146 so I tried setting the CCSID of the certificate file to 1146 but still the renew failed. I then tried CCSID 819 and this worked, my certificate was renewed. CCSID 1252 also works. I'm glad I got it to work but I don't understand why 1208 didn't work. Do you know why CCSID 1208 didn't worked and what CCSID values are acceptable to the API?

Re: dcmrenew

This does not work. Although I'm not a Java programmer I can see some problems in the code so I'll pull together the details for the corrections I've found and generate a PR.

richardm90 avatar Oct 28 '23 16:10 richardm90

Hi @tlhaze, I created PR #48. However, it's not fully corrected there are a couple of issues that I could do with someone having a look at. I've added these issues to the PR as a comment.

richardm90 avatar Oct 31 '23 12:10 richardm90