Hi Cho,I can not really make any sense of that...it looks like OpenXPKI finds the correct CRL but it is zero bytes.
Can you please check the catchall.log if you can see any more usefull messages?
Oliver Am 08.06.2017 um 15:59 schrieb Cho Chan:
Hi Oliver, I will use the same thread as it is related to getcrl. I am trying to get the CRL via SCEP using sscep, but I am receiving the following error: 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED Here is my action: 1) Issuing new CRL on pki.local # openxpkicmd --realm ca-web crl_issuance Workflow created (ID: 1304063), State: SUCCESS From openxpki.log 2017/06/08 15:37:28 openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990> [OpenXPKI::Server::Workflow::NICE::Local (446); anonymous(System)@8d6a#1304063] CRL issued for CA ca-web-signer-1 in realm ca-web 2017/06/08 15:37:28 openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990> [OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute action crl_add_serial_to_status_hash on workflow #1304063 2017/06/08 15:37:28 openxpki.application.INFO:7990 <http://openxpki.application.INFO:7990> [OpenXPKI::Server::Workflow (147); anonymous(System)@8d6a#1304063] Execute action crl_publish_crl on workflow #1304063 2017/06/08 15:37:28 openxpki.system.INFO:7990 <http://openxpki.system.INFO:7990> [OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL (220); anonymous(System)@8d6a#1304063] CRL pubication date set for crl 4607 Verifying... a) # openssl crl -in /var/www/html/ca-web/ca-web-crl.pem -crlnumber -lastupdate -noout crlNumber=11FF lastUpdate=Jun 8 13:37:28 2017 GMT curl -s http://pki.local/ca-web/ca-web-crl.pem | openssl crl -crlnumber -lastupdate -noout crlNumber=11FF lastUpdate=Jun 8 13:37:28 2017 GMT # printf "%d\n" 0x11FF 4607 b) Confirm also from web interface that CRL with serial 4607 was issued 2) Trying to getcrl via SCEP ( using sscep - https://github.com/certnanny/sscep ) $ ./sscep | grep version sscep version 0.5 $ ./sscep getca -c web_cacert -u http://pki.local/scep/web $ ls -l -rw------- 1 root root 1659 Jun 8 15:44 web_cacert-0 -rw------- 1 root root 1728 Jun 8 15:44 web_cacert-1 -rw------- 1 root root 1724 Jun 8 15:44 web_cacert-2 -r-------- 1 root root 1704 May 17 17:17 server.key -rw------- 1 root root 6189 May 17 17:17 server.crt web_cacert-0 - SCEP ssl cert web_cacert-1 - RootCA web_cacert-2 - Intermediate CA (WebCA) server.crt - server ssl cert issued by WebCA $ ./sscep getcrl -v -c web_cacert-0 -u http://pki.local/scep/web -l server.crt -k server.key -w t.crl sscep: starting sscep, version 0.5 sscep: new transaction sscep: transaction id: SSCEP transactionId sscep: hostname: pki.local sscep: directory: scep/web sscep: port: 80 sscep: SCEP_OPERATION_GETCRL sscep: requesting crl sscep: request data dump -----BEGIN CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST----- sscep: data payload size: 177 bytes sscep: successfully encrypted payload sscep: envelope size: 709 bytes sscep: creating outer PKCS#7 sscep: signature added successfully sscep: adding signed attributes sscep: adding string attribute transId sscep: adding string attribute messageType sscep: adding octet attribute senderNonce sscep: PKCS#7 data written successfully sscep: applying base64 encoding sscep: base64 encoded payload size: 4043 bytes sscep: server returned status code 500 sscep: mime_err: HTTP/1.1 500 Internal Server Error Date: Thu, 08 Jun 2017 13:48:20 GMT Server: Apache Connection: close Content-Type: text/html <h1>Software error:</h1> <pre>I18N_OPENXPKI_CLIENT_DETACH_FAILED; __MESSAGE_FROM_SERVER__ => $VAR1 = { 'LABEL' => 'I18N_OPENXPKI_SERVICE_SCEP_RUN_UNRECOGNIZED_SERVICE_MESSAGE' }; </pre> sscep: wrong (or missing) MIME content type sscep: error while sending message From openxpki.log 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception (109); scep-server-1()@ee1c] Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED Regards, Cho On Tue, Jun 6, 2017 at 8:42 AM, Oliver Welter <[email protected] <mailto:[email protected]>> wrote: Hi Kevin, thanks for bringing this up - we will investigate how to solve this without breaking other things. Oliver Am 22.05.2017 um 14:47 schrieb Kevin Wallis: At the moment I solved the problem by changing the code from the “get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm>“ file. I added the following code in line 107: $issuer = join ",", reverse split (/,/, $issuer); So the DN is reversed. It would be very good, when the “get_getcrl_issuer_serial.pm <http://get_getcrl_issuer_serial.pm>“ would order the issuer content itself. The result would be a request source independent solution. Thanks for the help! Regards, Kevin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> -- Protect your environment - close windows and adopt a penguin! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users <https://lists.sourceforge.net/lists/listinfo/openxpki-users> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
