Re: [OpenXPKI-users] I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; (#404)

Thu, 04 Aug 2016 09:15:51 -0700 

Hi Oliver,

I have tried several options regarding the passwords (e.g. method: plain or
literal) , I'm currently testing with the "literal" setting where the
passwords are stored in the crypto.yaml file.
In the stderr.log (also attached to this mail) I can see that it resolves
the path correctly, the actual files exist in this location and have the
right permissions:

2016-08-04 15:21:07.140402 DEBUG:16 PID:2026
OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 216): Building
key name from template /etc/openxpki/ssl/ca-one/[% ALIAS %].pem
2016-08-04 15:21:07.140543 DEBUG:32 PID:2026
OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 217): TT vars
$VAR1 = {
          'ALIAS' => 'ca-one-signer-1',
          'GENERATION' => '1',
          'GROUP' => 'ca-one-signer'
        };

2016-08-04 15:21:07.173450 DEBUG:16 PID:2026
OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 223): Key path
/etc/openxpki/ssl/ca-one/ca-one-signer-1.pem
2016-08-04 15:21:07.173630 DEBUG:16 PID:2026
OpenXPKI::Server::API::AUTOMETHOD (line 1619): method name:
get_certificate_for_alias
2016-08-04 15:21:07.173809 DEBUG:16 PID:2026 OpenXPKI::Server::API::__ANON__
(line 1638): args: $VAR1 = [
          {
            'ALIAS' => 'ca-one-signer-1'
          }
        ];


But further in the log I see errors occurring:

2016-08-04 15:21:07.355905 DEBUG:16 PID:2026
OpenXPKI::Crypto::Toolkit::command (line 479): eval_error: 
2016-08-04 15:21:07.356020 DEBUG:1 PID:2026 OpenXPKI::Crypto::CLI::cleanup
(line 402): start
2016-08-04 15:21:07.356098 DEBUG:1 PID:2026 OpenXPKI::Crypto::CLI::cleanup
(line 415): end
2016-08-04 15:21:07.356674 DEBUG:1 PID:2026
OpenXPKI::Exception::full_message (line 75): exception thrown:
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
2016-08-04 15:21:07.357929 DEBUG:1 PID:2026
OpenXPKI::Exception::full_message (line 75): exception thrown:
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
2016-08-04 15:21:07.358415 DEBUG:1 PID:2026
OpenXPKI::Exception::full_message (line 75): exception thrown:
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
2016-08-04 15:21:07.359046 DEBUG:1 PID:2026
OpenXPKI::Exception::full_message (line 75): exception thrown:
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
2016-08-04 15:21:07.359912 DEBUG:16 PID:2026
OpenXPKI::Server::API::Token::is_token_usable (line 562): got eval error
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
2016-08-04 15:21:07.360158 DEBUG:32 PID:2026
OpenXPKI::Server::API::Token::list_active_aliases (line 327): Found tokens
$VAR1 = {
          'ALIAS' => 'ca-one-vault-1',
          'IDENTIFIER' => 'V1pHidVwUoOEgHGiXWduopydkLk',
          'NOTAFTER' => '1502546734',
          'NOTBEFORE' => '1470146734',
          'STATUS' => 'OFFLINE'
        };

Could it be that the server has problems decrypting the certificates?

With kind regards,

Robert Roos

-----Original Message-----
From: Oliver Welter [mailto:[email protected]]
Sent: donderdag 4 augustus 2016 08:25
To: [email protected]
Subject: Re: [OpenXPKI-users] I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; (#404)

Hi Robert,

 > A brief question regarding this issue: Could you point me to the  >
location where the openxpki configuration is stored to retrieve the  >
certificate location/folder? Or briefly explain how the server retrieves  >
these certificates? Does the server use a specific path to e.g.
 > openssl.cnf ?

There is no openssl.cnf - its generated on the fly in a temporary location
when we "do the crypto". The issuing *certificates* are never read from the
disk but are also used from the database. You *must* have the private key
readable at /etc/openxpki/ssl/ca-one/<aliasname>.pem,
e.g. ca-one-signer-1.pem for the signer.

It might also be that they keys are readable but the password is wrong/not
exist - did you protect your keys with a password and did you change this in
the crypto.yaml ?

Oliver

Am 04.08.2016 um 07:11 schrieb IT Crowdsource:
> Hi,
>
>
> I've have created a fresh install of openxpki on Debian Jessie. I've 
> checked the basic configuration several times and all seems to be OK.
> I'm able to logon to the console where I see a message that I have to 
> create a CRL. If I trigger a CRL issue I'm getting an error message in 
> the GUI: Unknown error (toolkit command failed)
>
> Tried to debug the error by starting openxpkictl start --debug 128
>
> The stderr.log shows many error messages mostly related to openssl. 
> Like I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED
>
> /But also errors like these:/
>
> 2016-08-03 09:26:07.721976 DEBUG:16 PID:1805 
> OpenXPKI::Server::Workflow::execute_action (line 198): bubbled up 
> error
> - rethrow
> 2016-08-03 09:26:07.740090 DEBUG:128 PID:1805 
> OpenXPKI::Service::__get_error (line 133): $VAR1 = {
> 2016-08-03 09:26:07.743565 DEBUG:2 PID:1805 
> OpenXPKI::Service::__get_error (line 135): setup errors array
> 2016-08-03 09:26:07.743757 DEBUG:2 PID:1805 
> OpenXPKI::Service::__get_error (line 154): normalize error list
> 2016-08-03 09:26:07.743951 DEBUG:1 PID:1805 
> OpenXPKI::Service::__get_error (line 182): return serialized error 
> list
>
> As far as I understand now it's probably an issue related to the 
> location and/or accessibility of the certificates:
>
>
>
> |'STATUS' => 'OFFLINE',|
>
> |'IDENTIFIER' => 'JE0cN5CI-4hb9ZPdEnPPc04jfyI',|
>
> |'ALIAS' => 'ca-one-signer-1', |
>
>
>
> Could anyone point me to the location where the openxpki configuration 
> is stored to retrieve the certificate location/folder? Or briefly 
> explain how the server retrieves these certificates? All permissions 
> are set correctly on the certificates. And all certificates are 
> located in the right default folder */etc/openxpki/ssl/ca-one/*
>
> * *
>
> **
>
> * *
>
> The certificates also seem to be imported properly from this same folder:
>
> * *
>
> * *
>
> * *
>
> With kind regards,
>
>
>
> Robert Roos
>
>
>
> ----------------------------------------------------------------------
> --------
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>


--
Protect your environment -  close windows and adopt a penguin!



------------------------------------------------------------------------------
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to