Hi Dave, >> when exactly does this error occur? (...) > In the RA, when I go to Information | CA Certificates | Valid. It will > list the CA certificate and its serial. When I click on the serial I get > the error. the command for the menu entry is in src/web-interfaces/ra/ra-menu.xml and src/web-interfaces/ca/ca-menu.xml respectively. The command is a link "?cmd=listCerts;dataType=VALID_CA_CERTIFICATE" here. So, the data type is correct in this place, otherwise you wouldn't see the CA certificate and the serial.
The next step, when you click on the link, works in my installation. However, the link is dynamically created based on the data coming from the database and from the query string. In my case it looks like "?cmd=viewCert&dataType=VALID_CA_CERTIFICATE&key=285d679ec8a483177c95971fbc139ef2;xsrf_protection_token=26cf44a8f72eecf77c1db618a16b039c" so the datatype "VALID_CA_CERTIFICATE" should be here again. Can you check this? >> it could be a configuration problem. Have a look at those files: >> etc/openca/rbac/acl.xml >> etc/openca/access_control/*.xml > I have looked at these files (they are stock) but I don't see anything > the matter. ok, this was just a guess due to the lines of code around the error number you mentioned in your previous mail. At the moment I can't see the relation between these error messages and the click on the serial number of the ca certificate, yet. But I think we are narrowing things down step by step. > >> You expect "CA_CERTIFICATE" here, right? > Yes. It does look for CA_CERTIFICATE during the ListCerts cmd operation > but not during either the wiewCert or wiewCertFull cmd operations. the directory where OpenCA looks for the commands executed are configured in the etc/openca/access_control/*.xml files and the sources for those commands can be found in src/common/lib/cmds/ but perhaps you have fond them already. there is the listCerts file which contains the sub cmdListCerts. That one takes the $query (i.e. the link from the menu) and parses it. $dataType is one of the things it extracts. @certsList is filled by the database query, which seems to work also (at least more or less) for you, at minimum it returns the ca certificate into the list. $type is filled out by $dataType parsed from the link calling the script. So, this should appear as query argument "dataType" in the link behind the serial and by clicking that link it should be sent to viewCert. There again, $dataType is parsed from the $query just as it was for listCerts, but somehow this doesn't work correctly in your environment. In viewCert there is some magic done to distinguish between CERTIFICATE and CA_CERTIFICATE and handle the various queries for valid, expired, suspended, and revoked certificates. I'd suggest to look further into this after you have checked the query string of the link behind the serial. > > The root certificate is definitely in the database and appears fine. Could you check if the field "status" in the table "ca_certificate" contains the string "VALID"? > Just a side note, this was a backup/restore from an older installation > (version 1.0.2) on a different box. > > The only other operation that seems to fail is the signature verification > which could be related. This might be of importance. How did you do the restore? just by replaying an sqldump back into the database or reimporting the certificates into the database? You should also have copied some of the files, at least the ca certificate and key. I believe there is a backup script which should do all the necessary steps, but I don't know how many versions of OpenCa you can skip between export and reimport. In the node interface you have also a menu item to rebuild the ca chain which creates the symlinks with hashes, in case those are missing. To come back to the original question: we should keep the backup/restore in mind and perhaps have a look at the database structures (that's the reason for my question again about the ca certificate in the database). best regards, Martin ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
