Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

500 error when Importing TLS certs using the API

Elliana Perry

I am investigating importing our TLS certificates using the SFOS API but running into an error that I am struggling to understand.

The request XML:

<?xml version"1.0" encoding"UTF-8"?>
<Request APIVersion"1905.1">
<!-- API Authentication -->
  <Login>
    <Username>{{api_username}}</Username>
    <Password>{{api_password}}</Password>
  </Login>
  <!--- API Request Body -->
  <Set operation'add'>
    <Certificate>
      <Action>UploadCertificate</Action>
      <Name>AnsiblePKICertificate</Name>
      <CertificateFormat>pem</CertificateFormat>
      <CertificateFile>AnsiblePKICertificate.pem</CertificateFile>
      <PrivateKeyFile>AnsiblePKICertificate.key</PrivateKeyFile>
    </Certificate>
  </Set>
</Request>

The error within XML response:

<?xml version"1.0" encoding"UTF-8"?>
<Response APIVersion"1905.1" IPS_CAT_VER"1">
  <Login>
    <status>Authentication Successful</status>
  </Login>
  <Certificate transactionid"">
    <Status code"500">Operation could not be performed on Entity.</Status>
  </Certificate>
</Response>
I'm using ansible's uri module to make the request but this is the equivalent curl command, which returns the same error:
/bin/curl \
    -F "reqxml=</workspace/playbooks/linux/templates/sfos/sfos-api-cert.xml" \
    -F "file=@/tmp/ansible-pki/{{ inventory_hostname }}.tls.crt;filename=AnsiblePKICertificate.pem" \
    -F "file=@/tmp/ansible-pki/{{ inventory_hostname }}.tls.key;filename=AnsiblePKICertificate.key" \
    -k https://{{ ansible_host }}:4443/webconsole/APIController
The following log lines appear in the /log/apiparser.log when executing the api call:
INFO Aug 09 18:58:27Z [13523]: Start Login Handler,Component : Login
ERROR Aug 09 18:58:27Z [13523]: Key:ISCrEntity is not found in RequestMap File for Login.
INFO Aug 09 18:58:27Z [13523]: Mapping file for Login component is /_conf/csc/IOMappingFiles//1905.1/Login/Login.xml
ERROR Aug 09 18:58:27Z [13523]: Flag setting for this opcode is 18.
INFO Aug 09 18:58:28Z [13523]: Opcode response: status:200
INFO Aug 09 18:58:28Z [13523]: Authentication Successful
INFO Aug 09 18:58:28Z [13523]: Start Set Handler,Component : Certificate
ERROR Aug 09 18:58:28Z [13523]: Key:ISCrEntity is not found in RequestMap File for Certificate.
WARNING Aug 09 18:58:28Z [13523]: Transaction id is missing of for the component : <Certificate>.
ERROR Aug 09 18:58:28Z [13523]: type != const in logicaloperator.So string comparision is done.
ERROR Aug 09 18:58:28Z [13523]: type != const in logicaloperator.So string comparision is done.
ERROR Aug 09 18:58:28Z [13523]: Parser Error: xmlvalue for jsonkey="uploadcertpassword", xmlelement="/Certificate/Password" cannot be found in request file.
ERROR Aug 09 18:58:28Z [13523]: type != const in logicaloperator.So string comparision is done.
ERROR Aug 09 18:58:28Z [13523]: type != const in logicaloperator.So string comparision is done.
ERROR Aug 09 18:58:28Z [13523]: Flag setting for this opcode is 16.
INFO Aug 09 18:58:28Z [13523]: Opcode response: status:500
INFO Aug 09 18:58:28Z [13523]: End SET Handler, Status : Success, Component : Certificate, Transaction : NONE, Operation : add.
MESSAGE Aug 09 18:58:28Z [13523]: ENTITY 'Certificate' IMPORT Success
INFO Aug 09 18:58:28Z [13523]: Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1691607507548826.txt /sdisk/API-1691607507548826 /sdisk/APIXMLOutput/1691607507546.xml /sdisk/API-1691607507548826.tar /sdisk/API-1691607507548826.log 0 status:3
INFO Aug 09 18:58:28Z [13523]: No need to create Tar file. Response file is /sdisk/APIXMLOutput/1691607507546.xml
My understanding from the API documentation is that the password field is not mandatory and the certs generated from cert-manager do not have a passphrase. Where am I going wrong?


This thread was automatically locked due to age.
  • 0

    I have the same problem in a powershell script i've created to update an LE certificate on the Firewall. Until v18.5 MR5 it was working but the same code on V19.5.1 does not

    • 0

      You might try <Set operation="update">.
      My XML is successfull on 19.5MR3 - check there's no Cert with same name before importing!

      • +1

        Just wanted to update everyone. My issue came down to having a split-brain with high-availability that prevented certificates from being imported.