Hi Oliver,
here is my workflow.log when i issue a new certificate over the web ui:
--------------------
2017/05/24 07:02:54 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Persister::DBI (53); raop(RA
Operator)@d6fc#1279] Created workflow ID 1535.
2017/05/24 07:02:54 openxpki.workflow.INFO:1329
[OpenXPKI::Server::API::Workflow (736); raop(RA Operator)@d6fc#1535]
Workflow instance 1535 created for raop (type:
'certificate_signing_request_v2')
2017/05/24 07:02:54 openxpki.workflow.FATAL:1329
[OpenXPKI::Server::Workflow (791); raop(RA Operator)@d6fc#1535] Workflow
save requested during startup - wont save! (running)
2017/05/24 07:02:54 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/SETUP_REQUEST_TYPE executed
'csr_select_profile' in state 'INITIAL'
2017/05/24 07:02:54 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/SETUP_REQUEST_TYPE changed from
state 'INITIAL'
2017/05/24 07:03:01 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_KEY_PASSWORD executed
'csr_provide_server_key_params' in state 'SETUP_REQUEST_TYPE'
2017/05/24 07:03:01 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_KEY_PASSWORD changed from
state 'SETUP_REQUEST_TYPE'
2017/05/24 07:03:01 Workflow.Exception.ERROR:1329 condition_error
exception thrown from [Workflow::Condition::Evaluate: 63; before:
Workflow::State: 172]: Condition expressed by test
'$context->{password_type} eq 'server'' did not return a true value.
2017/05/24 07:03:01 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 178; before: Workflow::State:
71]: No access to action 'csr_retype_server_password' in state
'ENTER_KEY_PASSWORD' because: Condition expressed by test
'$context->{password_type} eq 'server'' did not return a true value.
2017/05/24 07:03:01 Workflow.Exception.ERROR:1329 condition_error
exception thrown from [Workflow::Condition::Evaluate: 63; before:
Workflow::State: 172]: Condition expressed by test
'$context->{password_type} eq 'server'' did not return a true value.
2017/05/24 07:03:01 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 178; before: Workflow::State:
71]: No access to action 'csr_retype_server_password' in state
'ENTER_KEY_PASSWORD' because: Condition expressed by test
'$context->{password_type} eq 'server'' did not return a true value.
2017/05/24 07:03:10 Workflow.Exception.ERROR:1329 condition_error
exception thrown from [Workflow::Condition::Evaluate: 63; before:
Workflow::State: 172]: Condition expressed by test
'$context->{password_type} eq 'server'' did not return a true value.
2017/05/24 07:03:10 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/PERSIST_KEY_PASSWORD executed
'csr_ask_client_password' in state 'ENTER_KEY_PASSWORD'
2017/05/24 07:03:10 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/PERSIST_KEY_PASSWORD changed from
state 'ENTER_KEY_PASSWORD'
2017/05/24 07:03:10 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 187; before: Workflow::State:
71]: No access to action 'global_noop' in state 'PERSIST_KEY_PASSWORD'
because condition csr_has_password_in_context did NOT fail and we are
checking !csr_has_password_in_context.
2017/05/24 07:03:10 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_SUBJECT executed
'csr_persist_key_password' (autorun) in state 'PERSIST_KEY_PASSWORD'
2017/05/24 07:03:10 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_SUBJECT changed from state
'PERSIST_KEY_PASSWORD'
2017/05/24 07:03:29 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_SAN executed
'csr_edit_subject' in state 'ENTER_SUBJECT'
2017/05/24 07:03:29 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_SAN changed from state
'ENTER_SUBJECT'
2017/05/24 07:03:29 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 149; before: Workflow::State:
71]: No access to action 'global_skip' in state 'ENTER_SAN' because
cached condition 'csr_profile_has_san_section' did NOT fail before and
we are being asked for the opposite.
2017/05/24 07:03:29 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 149; before: Workflow::State:
71]: No access to action 'global_skip' in state 'ENTER_SAN' because
cached condition 'csr_profile_has_san_section' did NOT fail before and
we are being asked for the opposite.
2017/05/24 07:03:38 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_CERT_INFO executed
'csr_edit_san' in state 'ENTER_SAN'
2017/05/24 07:03:38 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/ENTER_CERT_INFO changed from state
'ENTER_SAN'
2017/05/24 07:03:38 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 149; before: Workflow::State:
71]: No access to action 'global_skip' in state 'ENTER_CERT_INFO'
because cached condition 'csr_profile_has_info_section' did NOT fail
before and we are being asked for the opposite.
2017/05/24 07:03:38 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 149; before: Workflow::State:
71]: No access to action 'global_skip' in state 'ENTER_CERT_INFO'
because cached condition 'csr_profile_has_info_section' did NOT fail
before and we are being asked for the opposite.
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT executed
'csr_edit_cert_info' in state 'ENTER_CERT_INFO'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT changed from state
'ENTER_CERT_INFO'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_0
executed 'csr_render_subject' (autorun) in state 'BUILD_SUBJECT'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_0
changed from state 'BUILD_SUBJECT'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_1
executed 'csr_set_workflow_attributes' (autorun) in state
'BUILD_SUBJECT_CSR_RENDER_SUBJECT_0'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_1
changed from state 'BUILD_SUBJECT_CSR_RENDER_SUBJECT_0'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_2
executed 'csr_check_policy_dns' (autorun) in state
'BUILD_SUBJECT_CSR_RENDER_SUBJECT_1'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_2
changed from state 'BUILD_SUBJECT_CSR_RENDER_SUBJECT_1'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_3
executed 'csr_check_policy_subject_duplicate' (autorun) in state
'BUILD_SUBJECT_CSR_RENDER_SUBJECT_2'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/BUILD_SUBJECT_CSR_RENDER_SUBJECT_3
changed from state 'BUILD_SUBJECT_CSR_RENDER_SUBJECT_2'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/SUBJECT_COMPLETE executed
'csr_check_policy_key_duplicate' (autorun) in state
'BUILD_SUBJECT_CSR_RENDER_SUBJECT_3'
2017/05/24 07:03:47 openxpki.workflow.INFO:1329
[OpenXPKI::Server::Workflow::Observer::Log (73); raop(RA
Operator)@d6fc#1535] Workflow
1535/certificate_signing_request_v2/SUBJECT_COMPLETE changed from state
'BUILD_SUBJECT_CSR_RENDER_SUBJECT_3'
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 condition_error
exception thrown from [Workflow::Condition::Evaluate: 63; before:
Workflow::State: 172]: Condition expressed by test
'$context->{check_policy_dns} ||
$context->{check_policy_subject_duplicate} ||
$context->{check_policy_key_duplicate}' did not return a true value.
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 135; before: Workflow::State:
71]: No access to action 'csr_enter_policy_violation_comment' in state
'SUBJECT_COMPLETE' because cached condition 'csr_has_policy_violation'
already failed before.
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 135; before: Workflow::State:
71]: No access to action 'global_noop' in state 'SUBJECT_COMPLETE'
because cached condition 'csr_has_policy_violation' already failed before.
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 condition_error
exception thrown from [Workflow::Condition::Evaluate: 63; before:
Workflow::State: 172]: Condition expressed by test
'$context->{check_policy_dns} ||
$context->{check_policy_subject_duplicate} ||
$context->{check_policy_key_duplicate}' did not return a true value.
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 135; before: Workflow::State:
71]: No access to action 'csr_enter_policy_violation_comment' in state
'SUBJECT_COMPLETE' because cached condition 'csr_has_policy_violation'
already failed before.
2017/05/24 07:03:47 Workflow.Exception.ERROR:1329 workflow_error
exception thrown from [Workflow::State: 135; before: Workflow::State:
71]: No access to action 'global_noop' in state 'SUBJECT_COMPLETE'
because cached condition 'csr_has_policy_violation' already failed before.
--------------------
As you can see, i have errors at the password check. this confuses me,
because there is no error when typing the password twice.
The hostname is a fqdn. The domain is in search list in resolv.conf.
Do you have any idea what is going wrong?
Best regards,
Dominik
On 05/23/17 22:21, Oliver Welter wrote:
Hi Dominik,
thats what I assumed - blue is the color of the new timeout or unknown
state, it falls back to "fail" if no label is set, to adjust your
workflow config, see this commit
https://github.com/openxpki/openxpki/commit/b567653e9a55a4ce01bbc7c1dbd4145aaebc5c79
You did not answer my question - in what state is your workflow? Do
you have this DNS "problem" only on the UI or do you also get a policy
violation due to failed DNS check on the workflow level?
Additional question: Is the domain name in question a "hostname only"
or is it a real FQDN? The old code used the domain search list which
we removed avoid ambiguties when isolated hostnames are used (which is
in general a bad idea in certificates)
Oliver
Am 23.05.2017 um 20:21 schrieb Dominik Lindlbauer:
Hi Oliver,
thanks for the fast reply. I already checked DNS resolving with dig and
nslookup. Both, dig and nslookup do not even take a second, the answer
comes without failure and without delay. A little strange behavior is,
that the error-message "Subject Alternative Name: DNS: sample.fqdn
(FAIL)" is in light blue, not in red. Could it be that this error is
more a "cosmetic" failure in the web ui?
Best regards,
Dominik
On 05/23/17 19:58, Oliver Welter wrote:
Hi Dominik,
thats bad news - we always try to not break existing installs with the
updates :(
Does your request really fail or is it just in the "Policy Violation
Pending" state? This just means that the DNS lookup for the given
domain failed. Indeed we changed this module to better handle timeouts
when the DNS response is too slow.
First, to diagnose the problem, try to make a dns lookup on the domain
in question using dig/nslookup on the shell. If this takes longer that
a second, you got the problem.
It would be easiest to fix/speed up the resolver of the underlying OS,
yoz can also set timeout and resolvers in the workflow config files
(Have a Look at the checkdns activity).
Oliver
Am 23.05.2017 um 18:57 schrieb Dominik Lindlbauer:
Hi everybody,
after upgrading openxpki from version 1.16.8 to 1.17.4 with
aptitude on
a debian 8 machine i got the following output when i want to issue
a new
certificate:
Subject Alternative Name: DNS: sample.fqdn (FAIL)
before the upgrade i can issue the certificate perfect without errors:
Subject Alternative Name: DNS: sample.fqdn (OK).
Has anybody the same problem (and maybe even solved the issue)?
Thanks for your help,
Dominik
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
