Hi Ok, thx. Found it.
When i comment out condition scep_signer_cert_active in workflow/def/enrollment.yaml it works. What scep_signer_cert_active stands for and where can i configure it? Where can i find documentation on conditions? Regards, Lukas On 13.07.2015 12:01, Oliver Welter wrote: > Hi Lukas, > > this locks more like a "problem" in the workflow which can simply be a > violation of the internal policy (duplicate subject, wrong keysize, etc). > Check the output of the workflow history and context on the UI if you can see > the reason for the error, if not please post the history and context dump for > further analysis. > > This pge describes how the workflow works and gives a brief explanation on > some of the values in the context: > https://openxpki.readthedocs.org/en/latest/reference/configuration/workflows/scep.html > > Oliver > > Am 13.07.2015 um 11:16 schrieb Lukas Habegger: >> Hi >> >> I could not decrypt the pkcs7 with the signing key... probably i just >> could not find the right openssl commands. Anyway. I set up a simple >> CA/SCEP chain and now i am getting a little further. It looks like it >> stops when signing. Now i get the error: >> >> SCEP Request failed without error code set - default to badRequest >> >> Any suggestions? >> >> Here the log: >> > >> Regards, >> Lukas >> >> >> On 10.07.2015 07:27, Oliver Welter wrote: >>> Hi Lukas, >>> >>> Am 10.07.2015 um 00:20 schrieb Lukas Habegger: >>>> >>>> It try to setup a scep auto-enroll environment for our cisco routers. >>>> >>>> I did a basic setup of openxpki and i am able to get the CA cert over >>>> scep but i can't get a cert >>>> >>>> In /var/openxpki/openxpki.log i get the error cannot decrypt request: >>>> >>>> ---------------------------------------------------------- >>>> >>>> 2015/07/09 23:43:26 openxpki.system.ERROR:15526 [OpenXPKI::Crypto::CLI >>>> (437); scep-server-1()@7f9e] test show cmd: crl2pkcs7 -nocrl -outform >>>> DER -out /var/tmp/openxpki15526UkPNsHrM -certfile >>>> /var/tmp/openxpki15526gM6Qyd39 -certfile /var/tmp/openxpki155264JL3FgaB >>>> -certfile /var/tmp/openxpki15526aqpi2m2k >>>> >>> >>> >>> This means that OpenXPKI is not able to unwrap the SCEP transport container >>> - check if your key file of the scep token is named properly, readable and >>> is unlocked (password set in config or entered on the UI). >>> >>> If this is ok, did you set up a "complex" CA/RA/SCEP chain or did you use >>> the default settings provided? We had problems with cisco routers when the >>> CA cert and issuer are not under the same root - to test this, extract the >>> pkcs7 from the workflow and try to decrpt it using the ca signing key. >>> >>> Oliver >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Don't Limit Your Business. Reach for the Cloud. >>> GigeNET's Cloud Solutions provide you with the tools and support that >>> you need to offload your IT needs and focus on growing your business. >>> Configured For All Businesses. Start Your Cloud Today. >>> https://www.gigenetcloud.com/ >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >> >> ------------------------------------------------------------------------------ >> Don't Limit Your Business. Reach for the Cloud. >> GigeNET's Cloud Solutions provide you with the tools and support that >> you need to offload your IT needs and focus on growing your business. >> Configured For All Businesses. Start Your Cloud Today. >> https://www.gigenetcloud.com/ >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
