Hi Oliver, today I decided to debug a bit this issue and started completely new and clean openxpki system following the quickstart guide (certificates were generated via examples/sampleconfig.sh). The only modification which I did was to change where to publish crl and cacert -> /var/www/html/ca-one/ (publishing.yaml) Next ... openxpkicmd --realm ca-one crl_issuance Workflow created (ID: 1791), State: SUCCESS openxpkicmd --realm ca-one ca_publish Workflow created (ID: 2047), State: SUCCESS
Verification openssl crl -in /var/www/html/ca-one/ca-one.crl -crlnumber -lastupdate -issuer -noout crlNumber=01FF lastUpdate=Jun 9 13:07:32 2017 GMT issuer=/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=CA ONE curl -s http://pki.local/ca-one/ca-one.crl | openssl crl -crlnumber -lastupdate -issuer -noout crlNumber=01FF lastUpdate=Jun 9 13:07:32 2017 GMT issuer=/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=CA ONE printf "%d\n" 0x01FF 511 confirm also from web interface that CRL with serial 511 was issued ============================ cd test ./sscep getca -u http://pki.local/scep/default \ -c cacert SUCCESS openssl req \ -new -keyout scep-test.key -out scep-test.csr \ -newkey rsa:2048 -nodes \ -subj "/DC=ORG/DC=OpenXPKI/OU=Test CA/CN=scep-test.local" \ -batch ./sscep enroll -u http://pki.local/scep/default \ -k scep-test.key -r scep-test.csr \ -c cacert-0 \ -l scep-test.crt \ -t 10 -n 1 SUCCESS ./sscep getcrl -u http://pki.local/scep/default \ -k scep-test.key \ -c cacert-0 \ -l scep-test.crt \ -w ca-one.crl *FAILED* *getcrl again failed with the same error mentioned in my previous mail -> time to debug mode:* openxpkictl --debug .*:100 start and run the getcrl again. I am attaching stderr.log. From the log I am seeing the following: start executing getcrl line 1536 OpenXPKI::Service::SCEP::Command::PKIOperation::execute (line 109): PKCS7 GetCRL get_getcrl_issuer_serial line 1656 2017-06-09 16:00:59.171693 DEBUG:2 PID:2414 OpenXPKI::Crypto::Toolkit::command (line 421): Command: OpenXPKI::Crypto::Tool::SCEP::Command::get_getcrl_issuer_serial 2017-06-09 16:00:59.171999 DEBUG:64 PID:2414 OpenXPKI::Crypto::Tool::SCEP::Command::get_getcrl_issuer_serial::get_command (line 40): engine: $VAR1 = bless( { 'CERT' => '/var/tmp/openxpki2414fGk_WH84', 'ENGINE_SECTION' => '', 'ENGINE_USAGE' => '', 'KEY' => '/etc/openxpki/ssl/ca-one/ca-one-scep-1.pem', 'KEY_STORE' => 'OPENXPKI', 'SECRET *the rest of this debug message is censored by OpenXPKI::Debug* Here for me it is strange that get_getcrl_issuer_serial is trying on SCEP ssl cert and not on the scep-test.crt which was sent on the request openssl x509 -in /var/tmp/openxpki2414fGk_WH84 -subject -issuer -noout subject= /DC=ORG/DC=OpenXPKI/OU=Test CA/CN=SCEP issuer= /DC=ORG/DC=OpenXPKI/OU=Test CA/CN=Root CA line 1794 2017-06-09 16:00:59.191031 DEBUG:16 PID:2414 OpenXPKI::Service::SCEP::Command::PKIOperation::__send_crl (line 234): Issuer Serial $VAR1 = { 'ISSUER' => 'CN=Root CA,OU=Test CA,DC=OpenXPKI,DC=ORG', 'SERIAL' => '0x02' }; as SCEP ssl cert is singed by Root CA, normally Root CA serial was found... around line 1965 2017-06-09 16:00:59.196698 DEBUG:64 PID:2414 OpenXPKI::Server::API::__ANON__ (line 1801): Calling OpenXPKI::Server::API::Object->get_crl_list ... 2017-06-09 16:00:59.199200 DEBUG:32 PID:2414 OpenXPKI::Server::API::Object::get_crl_list (line 816): Found crl 2017-06-09 16:00:59.199315 DEBUG:1 PID:2414 OpenXPKI::Server::API::Object::get_crl_list (line 818): Finished The line Found crl is also a bit strange as there is no crl issued by Root CA... I am suspecting that either sscep is not properly preparing/sending getcrl request or eventually openxpki somehow is not properly processing the request as for me the logically will be pki to try to identify issuer and his serial of the certificate that was sent via -l/-k options not the SCEP certificate. To increase my suspicions I did the same setup like above with only one difference -> SCEP was issued by CA ONE, not by Root CA. ./sscep getcrl -u http://pki.local/scep/default -k scep-test.key -c cacert-0 -l scep-test.crt -w ca-one.crl ./sscep: requesting crl ./sscep: valid response from server ./sscep: reply transaction id: SSCEP transactionId ./sscep: pkistatus: SUCCESS ./sscep: CRL written as ca-one.crl Also tried with self-signed SCEP cert and again there was the error. This at last for me points that pki is executing get_getcrl_issuer_serial on SCEP cert and not on scep-test.crt which was sent via the request and from there it tries to find CRL.....and it fails. Please correct me if I am wrong somewhere. Thank you in advance! Regards, Cho On Fri, Jun 9, 2017 at 8:15 AM, Oliver Welter <[email protected]> wrote: > Hi Cho, > > I can not really make any sense of that...it looks like OpenXPKI finds the > correct CRL but it is zero bytes. > > Can you please check the catchall.log if you can see any more usefull > messages? > > Oliver > > > Am 08.06.2017 um 15:59 schrieb Cho Chan: > >> Hi Oliver, >> >> I will use the same thread as it is related to getcrl. I am trying to >> get the CRL via SCEP using sscep, but I am receiving the following error: >> >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception >> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); >> scep-server-1()@ee1c] Exception: >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception >> (109); scep-server-1()@ee1c] Exception: >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP >> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); >> scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED >> >> Here is my action: >> >> 1) Issuing new CRL on pki.local >> # openxpkicmd --realm ca-web crl_issuance >> Workflow created (ID: 1304063), State: SUCCESS >> >> From openxpki.log >> 2017/06/08 15:37:28 openxpki.system.INFO:7990 >> <http://openxpki.system.INFO:7990> >> [OpenXPKI::Server::Workflow::NICE::Local (446); >> anonymous(System)@8d6a#1304063] CRL issued for CA ca-web-signer-1 in >> realm ca-web >> 2017/06/08 15:37:28 openxpki.application.INFO:7990 >> <http://openxpki.application.INFO:7990> [OpenXPKI::Server::Workflow >> (147); anonymous(System)@8d6a#1304063] Execute action >> crl_add_serial_to_status_hash on workflow #1304063 >> 2017/06/08 15:37:28 openxpki.application.INFO:7990 >> <http://openxpki.application.INFO:7990> [OpenXPKI::Server::Workflow >> (147); anonymous(System)@8d6a#1304063] Execute action crl_publish_crl on >> workflow #1304063 >> 2017/06/08 15:37:28 openxpki.system.INFO:7990 >> <http://openxpki.system.INFO:7990> >> >> [OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL (220); >> anonymous(System)@8d6a#1304063] CRL pubication date set for crl 4607 >> >> Verifying... >> a) >> # openssl crl -in /var/www/html/ca-web/ca-web-crl.pem -crlnumber >> -lastupdate -noout >> crlNumber=11FF >> lastUpdate=Jun 8 13:37:28 2017 GMT >> >> curl -s http://pki.local/ca-web/ca-web-crl.pem | openssl crl -crlnumber >> -lastupdate -noout >> crlNumber=11FF >> lastUpdate=Jun 8 13:37:28 2017 GMT >> >> # printf "%d\n" 0x11FF >> 4607 >> b) Confirm also from web interface that CRL with serial 4607 was issued >> >> >> 2) Trying to getcrl via SCEP ( using sscep - >> https://github.com/certnanny/sscep ) >> >> $ ./sscep | grep version >> sscep version 0.5 >> >> $ ./sscep getca -c web_cacert -u http://pki.local/scep/web >> $ ls -l >> -rw------- 1 root root 1659 Jun 8 15:44 web_cacert-0 >> -rw------- 1 root root 1728 Jun 8 15:44 web_cacert-1 >> -rw------- 1 root root 1724 Jun 8 15:44 web_cacert-2 >> -r-------- 1 root root 1704 May 17 17:17 server.key >> -rw------- 1 root root 6189 May 17 17:17 server.crt >> >> web_cacert-0 - SCEP ssl cert >> web_cacert-1 - RootCA >> web_cacert-2 - Intermediate CA (WebCA) >> server.crt - server ssl cert issued by WebCA >> >> $ ./sscep getcrl -v -c web_cacert-0 -u http://pki.local/scep/web -l >> server.crt -k server.key -w t.crl >> sscep: starting sscep, version 0.5 >> sscep: new transaction >> sscep: transaction id: SSCEP transactionId >> sscep: hostname: pki.local >> sscep: directory: scep/web >> sscep: port: 80 >> sscep: SCEP_OPERATION_GETCRL >> sscep: requesting crl >> sscep: request data dump >> -----BEGIN CERTIFICATE REQUEST----- >> -----END CERTIFICATE REQUEST----- >> sscep: data payload size: 177 bytes >> sscep: successfully encrypted payload >> sscep: envelope size: 709 bytes >> sscep: creating outer PKCS#7 >> sscep: signature added successfully >> sscep: adding signed attributes >> sscep: adding string attribute transId >> sscep: adding string attribute messageType >> sscep: adding octet attribute senderNonce >> sscep: PKCS#7 data written successfully >> sscep: applying base64 encoding >> sscep: base64 encoded payload size: 4043 bytes >> sscep: server returned status code 500 >> sscep: mime_err: HTTP/1.1 500 Internal Server Error >> Date: Thu, 08 Jun 2017 13:48:20 GMT >> Server: Apache >> Connection: close >> Content-Type: text/html >> >> <h1>Software error:</h1> >> <pre>I18N_OPENXPKI_CLIENT_DETACH_FAILED; __MESSAGE_FROM_SERVER__ => >> $VAR1 = { >> 'LABEL' => >> 'I18N_OPENXPKI_SERVICE_SCEP_RUN_UNRECOGNIZED_SERVICE_MESSAGE' >> }; >> </pre> >> sscep: wrong (or missing) MIME content type >> sscep: error while sending message >> >> From openxpki.log >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception >> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Exception.pm:109); >> scep-server-1()@ee1c] Exception: >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Exception >> (109); scep-server-1()@ee1c] Exception: >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __ERRVAL__ => >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply >> 2017/06/08 15:44:21 openxpki.system.ERROR:7980 [OpenXPKI::Service::SCEP >> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/SCEP.pm:395); >> scep-server-1()@ee1c] Error executing SCEP command 'PKIOperation': >> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Tool::SCEP::Command::create_crl_reply; __ERRVAL__ => >> I18N_OPENXPKI_FILEUTILS_WRITE_FILE_NO_CONTENT_SPECIFIED >> >> Regards, >> >> Cho >> >> >> >> >> On Tue, Jun 6, 2017 at 8:42 AM, Oliver Welter <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Kevin, >> >> thanks for bringing this up - we will investigate how to solve this >> without breaking other things. >> >> Oliver >> >> >> Am 22.05.2017 um 14:47 schrieb Kevin Wallis: >> >> At the moment I solved the problem by changing the code from the >> “get_getcrl_issuer_serial.pm >> <http://get_getcrl_issuer_serial.pm>“ file. >> >> I added the following code in line 107: >> >> >> >> $issuer = join ",", reverse split (/,/, $issuer); >> >> >> >> So the DN is reversed. It would be very good, when the >> “get_getcrl_issuer_serial.pm >> <http://get_getcrl_issuer_serial.pm>“ would order the >> >> issuer content itself. The result would be a request source >> independent >> solution. >> >> >> >> Thanks for the help! >> >> >> >> Regards, >> >> Kevin >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> > > -- > Protect your environment - close windows and adopt a penguin! > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > >
debug_stderr.log.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
