Hi Robert, this sounds really weird...
As said, the certificate are pulled from the database, so I dont worry about them. How does your key file look like, its should start with something like
-----BEGIN ENCRYPTED PRIVATE KEY----- What is the result of "openssl rsa -in ca-one-signer-1.pem"? Might there be a chance that you mixed up keys and certificates? Oliver Am 04.08.2016 um 18:09 schrieb IT Crowdsource:
Hi Oliver, I have tried several options regarding the passwords (e.g. method: plain or literal) , I'm currently testing with the "literal" setting where the passwords are stored in the crypto.yaml file. In the stderr.log (also attached to this mail) I can see that it resolves the path correctly, the actual files exist in this location and have the right permissions: 2016-08-04 15:21:07.140402 DEBUG:16 PID:2026 OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 216): Building key name from template /etc/openxpki/ssl/ca-one/[% ALIAS %].pem 2016-08-04 15:21:07.140543 DEBUG:32 PID:2026 OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 217): TT vars $VAR1 = { 'ALIAS' => 'ca-one-signer-1', 'GENERATION' => '1', 'GROUP' => 'ca-one-signer' }; 2016-08-04 15:21:07.173450 DEBUG:16 PID:2026 OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 223): Key path /etc/openxpki/ssl/ca-one/ca-one-signer-1.pem 2016-08-04 15:21:07.173630 DEBUG:16 PID:2026 OpenXPKI::Server::API::AUTOMETHOD (line 1619): method name: get_certificate_for_alias 2016-08-04 15:21:07.173809 DEBUG:16 PID:2026 OpenXPKI::Server::API::__ANON__ (line 1638): args: $VAR1 = [ { 'ALIAS' => 'ca-one-signer-1' } ]; But further in the log I see errors occurring: 2016-08-04 15:21:07.355905 DEBUG:16 PID:2026 OpenXPKI::Crypto::Toolkit::command (line 479): eval_error: 2016-08-04 15:21:07.356020 DEBUG:1 PID:2026 OpenXPKI::Crypto::CLI::cleanup (line 402): start 2016-08-04 15:21:07.356098 DEBUG:1 PID:2026 OpenXPKI::Crypto::CLI::cleanup (line 415): end 2016-08-04 15:21:07.356674 DEBUG:1 PID:2026 OpenXPKI::Exception::full_message (line 75): exception thrown: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2016-08-04 15:21:07.357929 DEBUG:1 PID:2026 OpenXPKI::Exception::full_message (line 75): exception thrown: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2016-08-04 15:21:07.358415 DEBUG:1 PID:2026 OpenXPKI::Exception::full_message (line 75): exception thrown: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2016-08-04 15:21:07.359046 DEBUG:1 PID:2026 OpenXPKI::Exception::full_message (line 75): exception thrown: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2016-08-04 15:21:07.359912 DEBUG:16 PID:2026 OpenXPKI::Server::API::Token::is_token_usable (line 562): got eval error I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2016-08-04 15:21:07.360158 DEBUG:32 PID:2026 OpenXPKI::Server::API::Token::list_active_aliases (line 327): Found tokens $VAR1 = { 'ALIAS' => 'ca-one-vault-1', 'IDENTIFIER' => 'V1pHidVwUoOEgHGiXWduopydkLk', 'NOTAFTER' => '1502546734', 'NOTBEFORE' => '1470146734', 'STATUS' => 'OFFLINE' }; Could it be that the server has problems decrypting the certificates? With kind regards, Robert Roos -----Original Message----- From: Oliver Welter [mailto:[email protected]] Sent: donderdag 4 augustus 2016 08:25 To: [email protected] Subject: Re: [OpenXPKI-users] I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; (#404) Hi Robert, > A brief question regarding this issue: Could you point me to the > location where the openxpki configuration is stored to retrieve the > certificate location/folder? Or briefly explain how the server retrieves > these certificates? Does the server use a specific path to e.g. > openssl.cnf ? There is no openssl.cnf - its generated on the fly in a temporary location when we "do the crypto". The issuing *certificates* are never read from the disk but are also used from the database. You *must* have the private key readable at /etc/openxpki/ssl/ca-one/<aliasname>.pem, e.g. ca-one-signer-1.pem for the signer. It might also be that they keys are readable but the password is wrong/not exist - did you protect your keys with a password and did you change this in the crypto.yaml ? Oliver Am 04.08.2016 um 07:11 schrieb IT Crowdsource:Hi, I've have created a fresh install of openxpki on Debian Jessie. I've checked the basic configuration several times and all seems to be OK. I'm able to logon to the console where I see a message that I have to create a CRL. If I trigger a CRL issue I'm getting an error message in the GUI: Unknown error (toolkit command failed) Tried to debug the error by starting openxpkictl start --debug 128 The stderr.log shows many error messages mostly related to openssl. Like I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED /But also errors like these:/ 2016-08-03 09:26:07.721976 DEBUG:16 PID:1805 OpenXPKI::Server::Workflow::execute_action (line 198): bubbled up error - rethrow 2016-08-03 09:26:07.740090 DEBUG:128 PID:1805 OpenXPKI::Service::__get_error (line 133): $VAR1 = { 2016-08-03 09:26:07.743565 DEBUG:2 PID:1805 OpenXPKI::Service::__get_error (line 135): setup errors array 2016-08-03 09:26:07.743757 DEBUG:2 PID:1805 OpenXPKI::Service::__get_error (line 154): normalize error list 2016-08-03 09:26:07.743951 DEBUG:1 PID:1805 OpenXPKI::Service::__get_error (line 182): return serialized error list As far as I understand now it's probably an issue related to the location and/or accessibility of the certificates: |'STATUS' => 'OFFLINE',| |'IDENTIFIER' => 'JE0cN5CI-4hb9ZPdEnPPc04jfyI',| |'ALIAS' => 'ca-one-signer-1', | Could anyone point me to the location where the openxpki configuration is stored to retrieve the certificate location/folder? Or briefly explain how the server retrieves these certificates? All permissions are set correctly on the certificates. And all certificates are located in the right default folder */etc/openxpki/ssl/ca-one/* * * ** * * The certificates also seem to be imported properly from this same folder: * * * * * * With kind regards, Robert Roos ---------------------------------------------------------------------- -------- _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users-- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
