Hi Oliver,
I will use the same thread as it is related to getcrl. I am trying to get
the CRL via SCEP using sscep, but I am receiving the following error:
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109);
scep-server-1()@ee1c] Exception:
I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109);
scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED;
__COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395);
scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ =>
I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED
Here is my action:
1) Issuing new CRL on pki.local
# openxpkicmd --realm ca-web crl_issuance
Workflow created (ID: 1304063), State: SUCCESS
>From openxpki.log
2017/06/08 15:37:28 openxpki.system.INFO:7990
[OpenXPKI::Server::Workflow::NICE::Local (446);
anonymous(System)@8d6a#1304063] CRL issued for CA ca-web-signer-1 in realm
ca-web
2017/06/08 15:37:28 openxpki.application.INFO:7990
[OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute
action crl_add_serial_to_status_hash on workflow #1304063
2017/06/08 15:37:28 openxpki.application.INFO:7990
[OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute
action crl_publish_crl on workflow #1304063
2017/06/08 15:37:28 openxpki.system.INFO:7990
[OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL (220);
anonymous(System)@8d6a#1304063] CRL pubication date set for crl 4607
Verifying...
a)
# openssl crl -in /var/www/html/ca-web/ca-web-crl.pem -crlnumber
-lastupdate -noout
crlNumber=11FF
lastUpdate=Jun 8 13:37:28 2017 GMT
curl -s http://pki.local/ca-web/ca-web-crl.pem | openssl crl -crlnumber
-lastupdate -noout
crlNumber=11FF
lastUpdate=Jun 8 13:37:28 2017 GMT
# printf "%d\n" 0x11FF
4607
b) Confirm also from web interface that CRL with serial 4607 was issued
2) Trying to getcrl via SCEP ( using sscep -
https://github.com/certnanny/sscep )
$ ./sscep | grep version
sscep version 0.5
$ ./sscep getca -c web_cacert -u http://pki.local/scep/web
$ ls -l
-rw------- 1 root root 1659 Jun 8 15:44 web_cacert-0
-rw------- 1 root root 1728 Jun 8 15:44 web_cacert-1
-rw------- 1 root root 1724 Jun 8 15:44 web_cacert-2
-r-------- 1 root root 1704 May 17 17:17 server.key
-rw------- 1 root root 6189 May 17 17:17 server.crt
web_cacert-0 - SCEP ssl cert
web_cacert-1 - RootCA
web_cacert-2 - Intermediate CA (WebCA)
server.crt - server ssl cert issued by WebCA
$ ./sscep getcrl -v -c web_cacert-0 -u http://pki.local/scep/web -l
server.crt -k server.key -w t.crl
sscep: starting sscep, version 0.5
sscep: new transaction
sscep: transaction id: SSCEP transactionId
sscep: hostname: pki.local
sscep: directory: scep/web
sscep: port: 80
sscep: SCEP_OPERATION_GETCRL
sscep: requesting crl
sscep: request data dump
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
sscep: data payload size: 177 bytes
sscep: successfully encrypted payload
sscep: envelope size: 709 bytes
sscep: creating outer PKCS#7
sscep: signature added successfully
sscep: adding signed attributes
sscep: adding string attribute transId
sscep: adding string attribute messageType
sscep: adding octet attribute senderNonce
sscep: PKCS#7 data written successfully
sscep: applying base64 encoding
sscep: base64 encoded payload size: 4043 bytes
sscep: server returned status code 500
sscep: mime_err: HTTP/1.1 500 Internal Server Error
Date: Thu, 08 Jun 2017 13:48:20 GMT
Server: Apache
Connection: close
Content-Type: text/html
<h1>Software error:</h1>
<pre>I18N_OPENXPKI_CLIENT_DETACH_FAILED; __MESSAGE_FROM_SERVER__ =>
$VAR1 = {
'LABEL' =>
'I18N_OPENXPKI_SERVICE_SCEP_RUN_UNRECOGNIZED_SERVICE_MESSAGE'
};
</pre>
sscep: wrong (or missing) MIME content type
sscep: error while sending message
>From openxpki.log
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109);
scep-server-1()@ee1c] Exception:
I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109);
scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED;
__COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply
2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395);
scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation':
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ =>
I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED
Regards,
Cho
On Tue, Jun 6, 2017 at 8:42 AM, Oliver Welter <[email protected]> wrote:
> Hi Kevin,
>
> thanks for bringing this up - we will investigate how to solve this
> without breaking other things.
>
> Oliver
>
>
> Am 22.05.2017 um 14:47 schrieb Kevin Wallis:
>
>> At the moment I solved the problem by changing the code from the
>> “get_getcrl_issuer_serial.pm“ file.
>>
>> I added the following code in line 107:
>>
>>
>>
>> $issuer = join ",", reverse split (/,/, $issuer);
>>
>>
>>
>> So the DN is reversed. It would be very good, when the
>> “get_getcrl_issuer_serial.pm“ would order the
>>
>> issuer content itself. The result would be a request source independent
>> solution.
>>
>>
>>
>> Thanks for the help!
>>
>>
>>
>> Regards,
>>
>> Kevin
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
