Re: [OpenXPKI-users] Problem with datasafe token

Mon, 15 Jan 2018 05:26:20 -0800 

Dear Oliver,

It’s the recent 1.19 version which was/is a fresh install.

Concerning your request I have send you and email (not via the mailing list).

Kind regards,
Markus 



> On 12. Jan 2018, at 09:23, Oliver Welter <m...@oliwel.de> wrote:
> 
> Hi Markus,
> 
> You are running the recent 1.19 I guess?
> Is this a fresh install or upgrade?
> 
> Would you be able to provide remote access (via screenshare or the like) so 
> we can have a look at it? I am really interessted whats going on here (we can 
> negotaite that via PM)
> 
> Oliver
> 
> Am 11.01.2018 um 19:33 schrieb Markus Kastner via OpenXPKI-users:
>> Hello Oliver,
>>> What operating system are you using?
>> Debian 8.9
>>> What is the version of openssl (openssl version)?
>> OpenSSL 1.0.1t  3 May 2016
>>> First, at the system status page you see aftrer login, is the "datasafe" 
>>> token shown as "ONLINE”?
>> CertSign and Datasafe tokens are both showed as offline and presented on a 
>> red background by the tables. There’s also another CRL-Error displayed which 
>> I guess shouldn’t be there, as I’ve at least not intentionally issued any 
>> CRLs. Another message shows: 'Your system status is critical’.
>>> Can you check if the key blobs in your database look "good". In table 
>>> datapool, namespace sys.datapool.keys the values should start with 
>>> "----BEGIN PKCS7-----" and end with "-----END PKCS7——".
>> They look good.
>>> can you please access your database and empty the "secret” table
>> Still no change
>> Best regards,
>> Markus
>>> On 11. Jan 2018, at 11:20, Oliver Welter <m...@oliwel.de 
>>> <mailto:m...@oliwel.de> <mailto:m...@oliwel.de <mailto:m...@oliwel.de>>> 
>>> wrote:
>>> 
>>> Hi Markus,
>>> 
>>> the good-bad-news - I was able to reproduce the, but only once - now its 
>>> working again.
>>> 
>>> But I have an idea - can you please access your database and empty the 
>>> "secret" table. This is a cache only which is rebuild internally, perhaps 
>>> there is some problem due to changed internal structures.
>>> 
>>> best regards
>>> 
>>> Oliver
>>> 
>>> Am 11.01.2018 um 08:51 schrieb Oliver Welter:
>>>> Hello Markus,
>>>> in future please start a new mail thread with a "useful" subject line for 
>>>> each problem - this will become a bit hard to track otherwise....
>>>> This looks very similar to the problem that Andreas reported last week.
>>>> @Andreas - did you find a cause/solution?
>>>> First, at the system status page you see aftrer login, is the "datasafe" 
>>>> token shown as "ONLINE"?
>>>> What operating system are you using?
>>>> What is the version of openssl (openssl version)?
>>>> Can you check if the key blobs in your database look "good". In table 
>>>> datapool, namespace sys.datapool.keys the values should start with 
>>>> "----BEGIN PKCS7-----" and end with "-----END PKCS7-----".
>>>> Oliver
>>>> Am 09.01.2018 um 15:27 schrieb Markus Kastner via OpenXPKI-users:
>>>>> Dear Oliver,
>>>>> 
>>>>> thank you so much for your help! I was able to get the UI up and running. 
>>>>> Unfortunately I ran into trouble again. I'm seemingly not able to issue 
>>>>> any certificates using the Infrastructure. The error I get on the 
>>>>> openxpki.log is the following:
>>>>> 
>>>>> 2018/01/09 14:48:20 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; 
>>>>> __EXIT_STATUS__ => 512 
>>>>> [pid=17724|sid=D9nz|wftype=certificate_signing_request_v2|wfid=3583]
>>>>> 2018/01/09 14:48:20 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; 
>>>>> __COMMAND__ => 
>>>>> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt; __ERRVAL__ => 
>>>>> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_ST$
>>>>> 2018/01/09 14:48:20 ERROR 
>>>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE;
>>>>>  __SAFE_ID__ => ca-one-vault-1; __NAMESPACE__ => sys.datapool.keys; 
>>>>> __PKI_REALM__ => ca-one; __KEY$
>>>>> 2018/01/09 14:48:21 ERROR Caught exception from action: 
>>>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE;
>>>>>  __KEY__ => Dnw0IuvDKxE30ko9Gb1I8BQ5j80; __SAFE_ID__ => ca-one-vault$
>>>>> 2018/01/09 14:48:21 ERROR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; 
>>>>> __ACTION__ => csr_persist_key_password; __ERROR__ => 
>>>>> I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILAB$
>>>>> 2018/01/09 14:48:21 ERROR Error executing workflow activity 
>>>>> 'csr_retype_server_password' on workflow id 3583 (type 
>>>>> certificate_signing_request_v2): 
>>>>> I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ERROR$
>>>>> 2018/01/09 14:48:21 ERROR 
>>>>> I18N_OPENXPKI_SERVER_API_WORKFLOW_GET_WORKFLOW_INFO_NO_WORKFLOW_GIVEN; 
>>>>> __ARGS__ => HASH(0x724a2f0) [pid=17724|sid=D9nz]
>>>>> 
>>>>> After reading the error log several times I conclude that there seems to 
>>>>> be a key missing 
>>>>> (I18N_OPENXPKI_SERVER_API_OBJECT_GET_DATA_POOL_ENTRY_ENCRYPTION_KEY_UNAVAILABLE)
>>>>>  however I’m not able to figure out which one it is… Do you have any 
>>>>> suggestions for me?
>>>>> 
>>>>> Just as additional information the .pem files are in 
>>>>> /etc/openxpki/ssl/ca-one/ order and running openxpkiadm alias --realm 
>>>>> ca-one returns:
>>>>> 
>>>>> === functional token ===
>>>>> ca-one-signer (certsign):
>>>>> Alias     : ca-one-signer-1
>>>>> Identifier: eU3VSWoYdMwPAJZN23W6EcFRhlw
>>>>> NotBefore : 2017-12-19 11:00:59
>>>>> NotAfter  : 2018-12-19 11:00:59
>>>>> 
>>>>> ca-one-scep (scep):
>>>>> Alias     : ca-one-scep-1
>>>>> Identifier: wOTSHqJV558ALdTfPnNuZubjYFw
>>>>> NotBefore : 2017-12-19 11:10:20
>>>>> NotAfter  : 2018-12-19 11:10:20
>>>>> 
>>>>> ca-one-vault (datasafe):
>>>>> Alias     : ca-one-vault-1
>>>>> Identifier: V2qV3EsSaGiUUkIvQRmoZDk7Z48
>>>>> NotBefore : 2017-12-19 11:09:29
>>>>> NotAfter  : 2018-12-19 11:09:29
>>>>> 
>>>>> === root ca ===
>>>>> current root ca:
>>>>> Alias     : root-1
>>>>> Identifier: 7K3Go4IUtFb12i_ncTPlwmhuIyY
>>>>> NotBefore : 2017-12-19 10:32:54
>>>>> NotAfter  : 2106-02-07 06:28:15
>>>>> 
>>>>> 
>>>>> Kind regards,
>>>>> Markus
>>>>> 
>>>>> 
>>>>>> On 30. Dec 2017, at 21:35, Oliver Welter <m...@oliwel.de 
>>>>>> <mailto:m...@oliwel.de> <mailto:m...@oliwel.de <mailto:m...@oliwel.de>> 
>>>>>> <mailto:m...@oliwel.de <mailto:m...@oliwel.de>>> wrote:
>>>>>> 
>>>>>> Hi Markus,
>>>>>> 
>>>>>> there is two times "utf8" in message: "en_US.utf8.UTF-8" - check the 
>>>>>> settings in the webui.conf and the general debian settings for the 
>>>>>> locales, there seems to be something wrong.
>>>>>> 
>>>>>> Oliver
>>>>>> 
>>>>>> Am 30.12.2017 um 16:15 schrieb Markus Kastner via OpenXPKI-users:
>>>>>>> Dear Oliver,
>>>>>>> thank you for your very quick reply. I’ve just checked out your 
>>>>>>> suggestions but so far I wasn’t lucky… In order for you to maybe help 
>>>>>>> me further I’ve attached the log file data. From what I can gather the 
>>>>>>> webui still has a problem with the locals. Unfortunately I don’t know 
>>>>>>> whats going wrong here, as locale -a | grep en_US replies with 
>>>>>>> en_US.utf8.
>>>>>>>  *
>>>>>>>    openxpkictl status
>>>>>>>      o
>>>>>>>        OpenXPKI Server is running and accepting requests.
>>>>>>>  * webui.log:
>>>>>>>      o
>>>>>>>        2017/12/25 18:17:46
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/25 18:21:29
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/25 18:21:33
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/25 18:24:03
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/25 18:24:05
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:15:14
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:15:15
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:28:58
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:29:00
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:32:11
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:32:13
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:47:41
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:47:43
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:47:45
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:47:49
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:47:51
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>        2017/12/26 09:48:28
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>  * error.log (apache2)
>>>>>>>      o
>>>>>>>      o </p>
>>>>>>>      o [Sat Dec 30 14:49:33 2017] webui.fcgi:
>>>>>>>        I18N_OPENXPKI_I18N_SETLOCALE_LC_MESSAGES_FAILED; __LOCALE__ =>
>>>>>>>        en_US.utf8.UTF-8
>>>>>>>      o [Sat Dec 30 14:49:33.075061 2017] [fcgid:warn] [pid 16225]
>>>>>>>        (104)Connection reset by peer: [client xxx.xxx.xxx.22:1249]
>>>>>>>        mod_fcgid: error reading data from FastCGI server, referer:
>>>>>>> http://xxx.xxx.xxx.76/openxpki/ <http://xxx.xxx.xxx.76/openxpki/>
>>>>>>>      o [Sat Dec 30 14:49:33.075154 2017] [core:error] [pid 16225]
>>>>>>>        [client xxx.xxx.xxx.22:1249] End of script output before
>>>>>>>        headers: webui.fcgi, referer: http://xxx.xxx.xxx.76/openxpki/ 
>>>>>>> <http://xxx.xxx.xxx.76/openxpki/>
>>>>>>>  * locale -a | grep en_US
>>>>>>>      o en_US
>>>>>>>      o en_US.iso885915
>>>>>>>      o en_US.utf8
>>>>>>> Kind regard,
>>>>>>> Markus
>>>>>>>> On 30. Dec 2017, at 17:44, Oliver Welter <m...@oliwel.de 
>>>>>>>> <mailto:m...@oliwel.de> <mailto:m...@oliwel.de 
>>>>>>>> <mailto:m...@oliwel.de>> <mailto:m...@oliwel.de 
>>>>>>>> <mailto:m...@oliwel.de>>> wrote:
>>>>>>>> 
>>>>>>>> Oliver
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org <http://slashdot.org/> 
>>>>>>> <http://Slashdot.org <http://slashdot.org/>>! http://sdm.link/slashdot 
>>>>>>> <http://sdm.link/slashdot>
>>>>>>> _______________________________________________
>>>>>>> OpenXPKI-users mailing list
>>>>>>> OpenXPKI-users@lists.sourceforge.net 
>>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net> 
>>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>>
>>>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>>>>>>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Protect your environment -  close windows and adopt a penguin!
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org <http://slashdot.org/> 
>>>>>> <http://Slashdot.org <http://slashdot.org/>> <http://Slashdot.org 
>>>>>> <http://slashdot.org/>>! http://sdm.link/slashdot 
>>>>>> <http://sdm.link/slashdot>
>>>>>> _______________________________________________
>>>>>> OpenXPKI-users mailing list
>>>>>> OpenXPKI-users@lists.sourceforge.net 
>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net> 
>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>> 
>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>>
>>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>>>>>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>>>>> 
>>>>> 
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org <http://slashdot.org/> 
>>>>> <http://Slashdot.org <http://slashdot.org/>>! http://sdm.link/slashdot 
>>>>> <http://sdm.link/slashdot>
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OpenXPKI-users mailing list
>>>>> OpenXPKI-users@lists.sourceforge.net 
>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net> 
>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>>
>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>>>>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites,Slashdot.org <http://slashdot.org/> 
>>>> <http://slashdot.org/ <http://slashdot.org/>>!http://sdm.link/slashdot 
>>>> <http://sdm.link/slashdot>
>>>> _______________________________________________
>>>> OpenXPKI-users mailing list
>>>> OpenXPKI-users@lists.sourceforge.net 
>>>> <mailto:OpenXPKI-users@lists.sourceforge.net> 
>>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>>> <mailto:OpenXPKI-users@lists.sourceforge.net>>
>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>>>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>>> 
>>> 
>>> --
>>> Protect your environment -  close windows and adopt a penguin!
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org <http://slashdot.org/> 
>>> <http://Slashdot.org <http://slashdot.org/>>! 
>>> http://sdm.link/slashdot_______________________________________________ 
>>> <http://sdm.link/slashdot_______________________________________________>
>>> OpenXPKI-users mailing list
>>> OpenXPKI-users@lists.sourceforge.net 
>>> <mailto:OpenXPKI-users@lists.sourceforge.net> 
>>> <mailto:OpenXPKI-users@lists.sourceforge.net 
>>> <mailto:OpenXPKI-users@lists.sourceforge.net>>
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
> 
> 
> -- 
> Protect your environment -  close windows and adopt a penguin!
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot_______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to