Hello openxpki-users,
I followed the quickstart guide to test the scep functionality, but all of
my requests via scep are in PENDING status and needs manual intervention
from Operator to approve it via the WEB UI.
I tried to change some of the configuration parameters in
scep-server-1.yaml like
authorized_signer_on_behalf:
rule1:
# Full DN
subject: CN=.*,.*
rule2:
# Full DN
subject: CN=.*,.*
policy:
allow_anon_enroll: 1
but againg the requests are in PENDING status (openxpki was
reloaded/restarted after the modifications)
What needs to be modified to be able to enroll/request new certs?
Extracts from openxpki.log
2015/12/18 12:17:06 openxpki.application.INFO:2572
[OpenXPKI::Service::SCEP::Command::PKIOperation
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:346);
scep-server-1()@e203]
SCEP incoming request, id 15DDB9CE714D693EAA76A8B0545E99A1
2015/12/18 12:17:06 openxpki.application.INFO:2572
[OpenXPKI::Service::SCEP::Command::PKIOperation (408);
scep-server-1()@e203] SCEP try to start new workflow for
15DDB9CE714D693EAA76A8B0545E99A1
2015/12/18 12:17:06 openxpki.system.INFO:2572
[OpenXPKI::Server::Workflow::Persister::DBI (130); scep-server-1()@e203]
Created workflow 3071
2015/12/18 12:17:06 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_initialize on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_extract_csr on workflow #3071
2015/12/18 12:17:07 openxpki.application.WARN:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/SCEPv2/ExtractCSR.pm:101);
sce
p-server-1()@e203] SCEP csr key size is ok (rsaEncryption / 2048)
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (114);
scep-server-1()@e203] SCEP csr hash type is ok (sha1)
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (199);
scep-server-1()@e203] SCEP subject rendering enabled (
I18N_OPENXPKI_PROFILE_TLS_SERVER / enrol
l )
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (313);
scep-server-1()@e203] SCEP signer subject: CN=test.in.prod,OU=Test
Deployment,O=OpenXPKI,ST=Some-State,C=IN - is selfsign
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (383);
scep-server-1()@e203] SCEP signature verified; CSR subject:
CN=test.in.prod,DC=Test Deployment,DC=OpenXPKI,DC=org, Signer
CN=test.in.prod,OU=Test Deployment,O=OpenXPKI,ST=Some-State,C=IN
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_set_workflow_attributes on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_fetch_group_policy on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_eval_signer_trust on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::Tools::EvaluateSignerTrust
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/Tools/EvaluateSignerTrust.pm:126);
scep-server-1()@e203] Trusted Signer certificate is revoked
2015/12/18 12:17:07 openxpki.application.FATAL:2572
[OpenXPKI::Server::Workflow::Activity::Tools::EvaluateSignerTrust (162);
scep-server-1()@e203] Trusted Signer Authorization unknown / global /
CN=test.in.prod,OU=Test Deployment,O=OpenXPKI,ST=Some-State,C=IN /
9bt6OWAzAtbfPtre4Q4BAWbw1Q4
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::Tools::EvaluateSignerTrust (220);
scep-server-1()@e203] Trusted Signer not found in trust list
(CN=test.in.prod,OU=Test Deployment,O=OpenXPKI,ST=Some-State,C=IN).
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_eval_eligibility on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateEligibility (94);
scep-server-1()@e203] SCEP eligibility for initial enrollment failed
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_revoke_existing_certs on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::RevokeExistingCerts
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/SCEPv2/RevokeExistingCerts.pm:68);
scep-server-1()@e203] SCEP autorevoke - no active certs
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_revoke_existing_certs on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::RevokeExistingCerts (68);
scep-server-1()@e203] SCEP autorevoke - no active certs
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
global_noop2 on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_calc_approvals on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::CalcApprovals
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/SCEPv2/CalcApprovals.pm:79);
scep-server-1()@e203] SCEP no auto approval for eligibility!
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::SCEPv2::CalcApprovals (98);
scep-server-1()@e203] SCEP insufficient approval points (0/1) for
CN=test.in.prod,DC=Test Deployment,DC=OpenXPKI,DC=org
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow (128); scep-server-1()@e203] Execute action
scep_notify_pending_approval on workflow #3071
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Server::Workflow::Activity::Tools::Notify
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Workflow/Activity/Tools/Notify.pm:46);
scep-server-1()@e203] Trigger notification message scep_approval_pending
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Service::SCEP::Command::PKIOperation (505);
scep-server-1()@e203] SCEP started new workflow with id 3071, state
PENDING_APPROVAL
2015/12/18 12:17:07 openxpki.application.INFO:2572
[OpenXPKI::Service::SCEP::Command::PKIOperation (530);
scep-server-1()@e203] SCEP 3071 in state PENDING_APPROVAL, send pending
reply
2015/12/18 12:17:18 openxpki.application.INFO:2582
[OpenXPKI::Service::SCEP::Command::PKIOperation
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:346);
scep-server-1()@9867] SCEP incoming request, id
15DDB9CE714D693EAA76A8B0545E99A1
2015/12/18 12:17:18 openxpki.application.INFO:2582
[OpenXPKI::Service::SCEP::Command::PKIOperation (385);
scep-server-1()@9867] SCEP incoming request, found workflow 3071, state
PENDING_APPROVAL
2015/12/18 12:17:18 openxpki.application.INFO:2582
[OpenXPKI::Service::SCEP::Command::PKIOperation (530);
scep-server-1()@9867] SCEP 3071 in state PENDING_APPROVAL, send pending
reply
Thank you in advance!
Cho
------------------------------------------------------------------------------
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
