Hello Oliver,
> What operating system are you using?
Debian 8.9
> What is the version of openssl (openssl version)?
OpenSSL 1.0.1t 3 May 2016
> First, at the system status page you see aftrer login, is the "datasafe"
> token shown as "ONLINE”?
CertSign and Datasafe tokens are both showed as offline and presented on a red
background by the tables. There’s also another CRL-Error displayed which I
guess shouldn’t be there, as I’ve at least not intentionally issued any CRLs.
Another message shows: 'Your system status is critical’.
> Can you check if the key blobs in your database look "good". In table
> datapool, namespace sys.datapool.keys the values should start with "----BEGIN
> PKCS7-----" and end with "-----END PKCS7——".
They look good.
> can you please access your database and empty the "secret” table
Still no change
Best regards,
Markus
> On 11. Jan 2018, at 11:20, Oliver Welter <m...@oliwel.de> wrote:
>
> Hi Markus,
>
> the good-bad-news - I was able to reproduce the, but only once - now its
> working again.
>
> But I have an idea - can you please access your database and empty the
> "secret" table. This is a cache only which is rebuild internally, perhaps
> there is some problem due to changed internal structures.
>
> best regards
>
> Oliver
>
> Am 11.01.2018 um 08:51 schrieb Oliver Welter:
>> Hello Markus,
>> in future please start a new mail thread with a "useful" subject line for
>> each problem - this will become a bit hard to track otherwise....
>> This looks very similar to the problem that Andreas reported last week.
>> @Andreas - did you find a cause/solution?
>> First, at the system status page you see aftrer login, is the "datasafe"
>> token shown as "ONLINE"?
>> What operating system are you using?
>> What is the version of openssl (openssl version)?
>> Can you check if the key blobs in your database look "good". In table
>> datapool, namespace sys.datapool.keys the values should start with
>> "----BEGIN PKCS7-----" and end with "-----END PKCS7-----".
>> Oliver
>> Am 09.01.2018 um 15:27 schrieb Markus Kastner via OpenXPKI-users:
>>> Dear Oliver,
>>>
>>> thank you so much for your help! I was able to get the UI up and running.
>>> Unfortunately I ran into trouble again. I'm seemingly not able to issue any
>>> certificates using the Infrastructure. The error I get on the openxpki.log
>>> is the following:
>>>
>>> 2018/01/09 14:48:20 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
>>> __EXIT_STATUS__ => 512
>>> [pid=17724|sid=D9nz|wftype=certificate_signing_request_v2|wfid=3583]
>>> 2018/01/09 14:48:20 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__
>>> => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__
>>> => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_ST$
>>> 2018/01/09 14:48:20 ERROR
>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE;
>>> __SAFE_ID__ => ca-one-vault-1; __NAMESPACE__ => sys.datapool.keys;
>>> __PKI_REALM__ => ca-one; __KEY$
>>> 2018/01/09 14:48:21 ERROR Caught exception from action:
>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE;
>>> __KEY__ => Dnw0IuvDKxE30ko9Gb1I8BQ5j80; __SAFE_ID__ => ca-one-vault$
>>> 2018/01/09 14:48:21 ERROR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE;
>>> __ACTION__ => csr_persist_key_password; __ERROR__ =>
>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILAB$
>>>
>>> 2018/01/09 14:48:21 ERROR Error executing workflow activity
>>> 'csr_retype_server_password' on workflow id 3583 (type
>>> certificate_signing_request_v2):
>>> I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ERROR$
>>> 2018/01/09 14:48:21 ERROR
>>> I18N_OPENXPKI_SERVER_API_WORKFLOW_GET_WORKFLOW_INFO_NO_WORKFLOW_GIVEN;
>>> __ARGS__ => HASH(0x724a2f0) [pid=17724|sid=D9nz]
>>>
>>> After reading the error log several times I conclude that there seems to be
>>> a key missing
>>> (I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE)
>>> however I’m not able to figure out which one it is… Do you have any
>>> suggestions for me?
>>>
>>> Just as additional information the .pem files are in
>>> /etc/openxpki/ssl/ca-one/ order and running openxpkiadm alias --realm
>>> ca-one returns:
>>>
>>> === functional token ===
>>> ca-one-signer (certsign):
>>> Alias : ca-one-signer-1
>>> Identifier: eU3VSWoYdMwPAJZN23W6EcFRhlw
>>> NotBefore : 2017-12-19 11:00:59
>>> NotAfter : 2018-12-19 11:00:59
>>>
>>> ca-one-scep (scep):
>>> Alias : ca-one-scep-1
>>> Identifier: wOTSHqJV558ALdTfPnNuZubjYFw
>>> NotBefore : 2017-12-19 11:10:20
>>> NotAfter : 2018-12-19 11:10:20
>>>
>>> ca-one-vault (datasafe):
>>> Alias : ca-one-vault-1
>>> Identifier: V2qV3EsSaGiUUkIvQRmoZDk7Z48
>>> NotBefore : 2017-12-19 11:09:29
>>> NotAfter : 2018-12-19 11:09:29
>>>
>>> === root ca ===
>>> current root ca:
>>> Alias : root-1
>>> Identifier: 7K3Go4IUtFb12i_ncTPlwmhuIyY
>>> NotBefore : 2017-12-19 10:32:54
>>> NotAfter : 2106-02-07 06:28:15
>>>
>>>
>>> Kind regards,
>>> Markus
>>>
>>>
>>>> On 30. Dec 2017, at 21:35, Oliver Welter <m...@oliwel.de
>>>> <mailto:m...@oliwel.de>> wrote:
>>>>
>>>> Hi Markus,
>>>>
>>>> there is two times "utf8" in message: "en_US.utf8.UTF-8" - check the
>>>> settings in the webui.conf and the general debian settings for the
>>>> locales, there seems to be something wrong.
>>>>
>>>> Oliver
>>>>
>>>> Am 30.12.2017 um 16:15 schrieb Markus Kastner via OpenXPKI-users:
>>>>> Dear Oliver,
>>>>> thank you for your very quick reply. I’ve just checked out your
>>>>> suggestions but so far I wasn’t lucky… In order for you to maybe help me
>>>>> further I’ve attached the log file data. From what I can gather the webui
>>>>> still has a problem with the locals. Unfortunately I don’t know whats
>>>>> going wrong here, as locale -a | grep en_US replies with en_US.utf8.
>>>>> *
>>>>> openxpkictl status
>>>>> o
>>>>> OpenXPKI Server is running and accepting requests.
>>>>> * webui.log:
>>>>> o
>>>>> 2017/12/25 18:17:46
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/25 18:21:29
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/25 18:21:33
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/25 18:24:03
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/25 18:24:05
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:15:14
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:15:15
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:28:58
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:29:00
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:32:11
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:32:13
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:47:41
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:47:43
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:47:45
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:47:49
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:47:51
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> 2017/12/26 09:48:28
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> * error.log (apache2)
>>>>> o
>>>>> o </p>
>>>>> o [Sat Dec 30 14:49:33 2017] webui.fcgi:
>>>>> I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>> en_US.utf8.UTF-8
>>>>> o [Sat Dec 30 14:49:33.075061 2017] [fcgid:warn] [pid 16225]
>>>>> (104)Connection reset by peer: [client xxx.xxx.xxx.22:1249]
>>>>> mod_fcgid: error reading data from FastCGI server, referer:
>>>>> http://xxx.xxx.xxx.76/openxpki/
>>>>> o [Sat Dec 30 14:49:33.075154 2017] [core:error] [pid 16225]
>>>>> [client xxx.xxx.xxx.22:1249] End of script output before
>>>>> headers: webui.fcgi, referer: http://xxx.xxx.xxx.76/openxpki/
>>>>> * locale -a | grep en_US
>>>>> o en_US
>>>>> o en_US.iso885915
>>>>> o en_US.utf8
>>>>> Kind regard,
>>>>> Markus
>>>>>> On 30. Dec 2017, at 17:44, Oliver Welter <m...@oliwel.de
>>>>>> <mailto:m...@oliwel.de> <mailto:m...@oliwel.de>> wrote:
>>>>>>
>>>>>> Oliver
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org <http://Slashdot.org>!
>>>>> http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> OpenXPKI-users mailing list
>>>>> OpenXPKI-users@lists.sourceforge.net
>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>
>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>>
>>>>
>>>> --
>>>> Protect your environment - close windows and adopt a penguin!
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org <http://Slashdot.org>!
>>>> http://sdm.link/slashdot
>>>> _______________________________________________
>>>> OpenXPKI-users mailing list
>>>> OpenXPKI-users@lists.sourceforge.net
>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>
>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> OpenXPKI-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>> http://sdm.link/slashdot <http://sdm.link/slashdot>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> <mailto:OpenXPKI-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
