[Openca-Users] SOLVED: SCEP fails on enrolling a certificate

Ralf Hornik Mailings Fri, 14 Jul 2006 01:10:21 -0700

Dear list,

finally I fixed this problem. After a deep flight into the OpenCA code I
found the following in openca/lib/cmds/scepPKIOperation:


---8<---
...
sub cmdscepPKIOperation
...
    foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
              ScepDefaultRA ScepRenewalRDNMatch
              ScepKeepSubjectAltName ScepAutoApprove)) {
        my $val = getRequired($_);
        eval "\$$_ = \$val";
    }
...
--->8---

I estimate that EACH of the values is required and my scep.conf.template
shows:

---8<---
## ============== [ General Section ] =========================

ScepAllowEnrollment     "YES"
ScepAllowRenewal        "YES"
ScepKeepSubjectAltName  "YES"

ScepRenewalRDNMatch     ""

# Defaults for initial enrollment
ScepDefaultRole         "User"
#ScepDefaultRA           "MyRA"

ScepAutoApprove         "NO"
--->8---

'ScepDefaultRA' was uncommented...so the compilation of
cmdScepPKIOperation failed. After uncommenting this value the compilation
was successfull.

Wouldn't it be better, to give a little bit more error handling here like:

foreach $value (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
              ScepDefaultRA ScepRenewalRDNMatch
              ScepKeepSubjectAltName ScepAutoApprove)) {
        die "$value missing in configfile: $!" if not defined $value;
        my $val = getRequired($value);

This would save much time and nerves. ;-)

However, after fixing this and reading the other SCEP related mails SCEP
works now. And I had not to make the scep direktive seperately. I think on
OpenCA 0.9.2.5 this issue has been removed.

Thanks

Ralf

> Ralf Hornik Mailings schrieb:
> Hi Martin,
>
> Both debugging flags are enabled, there is no other output.
> However, the openca-scep commands work, when I make it manually using the
> shell.
>
> I think, the problem is on the webinterface.
>
> Regards
>
> Ralf
>
>> Martin Bartosch schrieb:
>> Hi,
>>
>>> The exact error output with debugging enabled is:
>>
>> there are no SCEP debug messages in the log file. Did you set both
>> Debug flags to 1 in log.xml? Such as:
>>
>> <openca>
>>      <debug>1</debug>
>>      <stderr>/usr/local/openca-0.9.2/var/log/stderr.log</stderr>
>>      <log>
>>          <debug>1</debug>
>>          <slots>
>> ...
>>
>> After setting this you should restart OpenCA.
>>
>> You should get debug messages like the sample below. Please post this
>> output.
>>
>> cheers
>>
>> Martin
>>
>>
>> OpenCA::AC->    access granted
>> OpenCA::AC->initToken: starting
>> OpenCA::AC->initToken: successfully finished
>> cmds->cmdScepPKIOperation: execute5: /usr/local/bin/openca-scep -in /
>> usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_transid
>> cmds->cmdScepPKIOperation: Pipe returned error code 0
>> cmds->cmdScepPKIOperation: tid:
>> cmds->cmdScepPKIOperation: execute_bt: /usr/local/bin/openca-scep -
>> in /usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
>> certs/local/scep-key.pem -passin env:pwd -noout -print_scert > /usr/
>> local/openca-0.9.2/var/tmp/scep_client_12872.crt
>> cmds->cmdScepPKIOperation: Backtick expansion returned error code 0
>> cmds->cmdScepPKIOperation: execute1: /usr/local/bin/openca-scep -in /
>> usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_msgtype
>> cmds->cmdScepPKIOperation: Pipe returned error code 0
>> cmds->cmdScepPKIOperation: msgtype: PKCSReq (19)
>>
>> cmds->cmdScepPKIOperation: execute6: /usr/local/bin/openca-scep -in /
>> usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
>> certs/local/scep-key.pem -passin env:pwd -noout -print_req
>> cmds->cmdScepPKIOperation: Pipe returned error code 0
>> cmds->cmdScepPKIOperation: csr: -----BEGIN CERTIFICATE REQUEST-----
>> ...
>>
>>
>> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
>> Fully trained technicians. The highest number of Red Hat certifications
>> in
>> the hosting industry. Fanatical Support. Click to learn more
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
>> _______________________________________________
>> Openca-Users mailing list
>> Openca-Users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openca-users
>>
>
>
> --
>
>
>
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
>


-- 




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] SOLVED: SCEP fails on enrolling a certificate

Reply via email to