Hi Oliver, Well this was quite a nasty problem. After struggling for a few hours I noticed that one of the certificates was corrupt. I have recreated new pairs and all seem to work properly right now. Many thanks for your support!
With kind regards, Robert Roos -----Original Message----- From: Oliver Welter [mailto:[email protected]] Sent: vrijdag 5 augustus 2016 08:59 To: [email protected] Subject: Re: [OpenXPKI-users] I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; (#404) Hi Robert, this sounds really weird... As said, the certificate are pulled from the database, so I dont worry about them. How does your key file look like, its should start with something like -----BEGIN ENCRYPTED PRIVATE KEY----- What is the result of "openssl rsa -in ca-one-signer-1.pem"? Might there be a chance that you mixed up keys and certificates? Oliver Am 04.08.2016 um 18:09 schrieb IT Crowdsource: > Hi Oliver, > > I have tried several options regarding the passwords (e.g. method: > plain or > literal) , I'm currently testing with the "literal" setting where the > passwords are stored in the crypto.yaml file. > In the stderr.log (also attached to this mail) I can see that it > resolves the path correctly, the actual files exist in this location > and have the right permissions: > > 2016-08-04 15:21:07.140402 DEBUG:16 PID:2026 > OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 216): > Building key name from template /etc/openxpki/ssl/ca-one/[% ALIAS > %].pem > 2016-08-04 15:21:07.140543 DEBUG:32 PID:2026 > OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 217): TT > vars > $VAR1 = { > 'ALIAS' => 'ca-one-signer-1', > 'GENERATION' => '1', > 'GROUP' => 'ca-one-signer' > }; > > 2016-08-04 15:21:07.173450 DEBUG:16 PID:2026 > OpenXPKI::Crypto::Toolkit::__load_config_realm_token (line 223): Key > path /etc/openxpki/ssl/ca-one/ca-one-signer-1.pem > 2016-08-04 15:21:07.173630 DEBUG:16 PID:2026 > OpenXPKI::Server::API::AUTOMETHOD (line 1619): method name: > get_certificate_for_alias > 2016-08-04 15:21:07.173809 DEBUG:16 PID:2026 > OpenXPKI::Server::API::__ANON__ (line 1638): args: $VAR1 = [ > { > 'ALIAS' => 'ca-one-signer-1' > } > ]; > > > But further in the log I see errors occurring: > > 2016-08-04 15:21:07.355905 DEBUG:16 PID:2026 > OpenXPKI::Crypto::Toolkit::command (line 479): eval_error: > 2016-08-04 15:21:07.356020 DEBUG:1 PID:2026 > OpenXPKI::Crypto::CLI::cleanup (line 402): start > 2016-08-04 15:21:07.356098 DEBUG:1 PID:2026 > OpenXPKI::Crypto::CLI::cleanup (line 415): end > 2016-08-04 15:21:07.356674 DEBUG:1 PID:2026 > OpenXPKI::Exception::full_message (line 75): exception thrown: > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > 2016-08-04 15:21:07.357929 DEBUG:1 PID:2026 > OpenXPKI::Exception::full_message (line 75): exception thrown: > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ > => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > 2016-08-04 15:21:07.358415 DEBUG:1 PID:2026 > OpenXPKI::Exception::full_message (line 75): exception thrown: > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > 2016-08-04 15:21:07.359046 DEBUG:1 PID:2026 > OpenXPKI::Exception::full_message (line 75): exception thrown: > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ > => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > 2016-08-04 15:21:07.359912 DEBUG:16 PID:2026 > OpenXPKI::Server::API::Token::is_token_usable (line 562): got eval > error I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ > => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > 2016-08-04 15:21:07.360158 DEBUG:32 PID:2026 > OpenXPKI::Server::API::Token::list_active_aliases (line 327): Found > tokens > $VAR1 = { > 'ALIAS' => 'ca-one-vault-1', > 'IDENTIFIER' => 'V1pHidVwUoOEgHGiXWduopydkLk', > 'NOTAFTER' => '1502546734', > 'NOTBEFORE' => '1470146734', > 'STATUS' => 'OFFLINE' > }; > > Could it be that the server has problems decrypting the certificates? > > With kind regards, > > Robert Roos > > -----Original Message----- > From: Oliver Welter [mailto:[email protected]] > Sent: donderdag 4 augustus 2016 08:25 > To: [email protected] > Subject: Re: [OpenXPKI-users] I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > (#404) > > Hi Robert, > > > A brief question regarding this issue: Could you point me to the > > location where the openxpki configuration is stored to retrieve the > > certificate location/folder? Or briefly explain how the server > retrieves > these certificates? Does the server use a specific path to e.g. > > openssl.cnf ? > > There is no openssl.cnf - its generated on the fly in a temporary > location when we "do the crypto". The issuing *certificates* are never > read from the disk but are also used from the database. You *must* > have the private key readable at > /etc/openxpki/ssl/ca-one/<aliasname>.pem, > e.g. ca-one-signer-1.pem for the signer. > > It might also be that they keys are readable but the password is > wrong/not exist - did you protect your keys with a password and did > you change this in the crypto.yaml ? > > Oliver > > Am 04.08.2016 um 07:11 schrieb IT Crowdsource: >> Hi, >> >> >> I've have created a fresh install of openxpki on Debian Jessie. I've >> checked the basic configuration several times and all seems to be OK. >> I'm able to logon to the console where I see a message that I have to >> create a CRL. If I trigger a CRL issue I'm getting an error message >> in the GUI: Unknown error (toolkit command failed) >> >> Tried to debug the error by starting openxpkictl start --debug 128 >> >> The stderr.log shows many error messages mostly related to openssl. >> Like I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED >> >> /But also errors like these:/ >> >> 2016-08-03 09:26:07.721976 DEBUG:16 PID:1805 >> OpenXPKI::Server::Workflow::execute_action (line 198): bubbled up >> error >> - rethrow >> 2016-08-03 09:26:07.740090 DEBUG:128 PID:1805 >> OpenXPKI::Service::__get_error (line 133): $VAR1 = { >> 2016-08-03 09:26:07.743565 DEBUG:2 PID:1805 >> OpenXPKI::Service::__get_error (line 135): setup errors array >> 2016-08-03 09:26:07.743757 DEBUG:2 PID:1805 >> OpenXPKI::Service::__get_error (line 154): normalize error list >> 2016-08-03 09:26:07.743951 DEBUG:1 PID:1805 >> OpenXPKI::Service::__get_error (line 182): return serialized error >> list >> >> As far as I understand now it's probably an issue related to the >> location and/or accessibility of the certificates: >> >> >> >> |'STATUS' => 'OFFLINE',| >> >> |'IDENTIFIER' => 'JE0cN5CI-4hb9ZPdEnPPc04jfyI',| >> >> |'ALIAS' => 'ca-one-signer-1', | >> >> >> >> Could anyone point me to the location where the openxpki >> configuration is stored to retrieve the certificate location/folder? >> Or briefly explain how the server retrieves these certificates? All >> permissions are set correctly on the certificates. And all >> certificates are located in the right default folder >> */etc/openxpki/ssl/ca-one/* >> >> * * >> >> ** >> >> * * >> >> The certificates also seem to be imported properly from this same folder: >> >> * * >> >> * * >> >> * * >> >> With kind regards, >> >> >> >> Robert Roos >> >> >> >> --------------------------------------------------------------------- >> - >> -------- >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > -- > Protect your environment - close windows and adopt a penguin! > > > > ---------------------------------------------------------------------- > -------- _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
