Hello Raphael, what Linux distro are you using and where did you get the openca-scep package from?
Please provide the output of openca-scep -version openssl version best regards Oliver Am 27.09.2018 um 15:51 schrieb Raphael Buquet: > Hi, > > I am trying to get the Scep auto enroll test working and I am really close. > In fact everything is running normally, the certificate is generated and > published. The Openxpki interface lists it with a SUCCESS status. > > I have an error while Openxpki is constructing the scep answer to the > client that requested a certificate. > > Any help would be greatly appreciated ! > > Thanks > > Raphaël > > > > I use sscep to test and here are the clients logs : > ./mkrequest -dns test6.it-factory.prod.lan > Generating RSA private key, 2048 bit long modulus > .................+++ > .........+++ > e is 65537 (0x010001) > ./sscep_dyn enroll -f sscep.conf > ./sscep_dyn: Found private key ./local.key as file. If the engine can > handle it, loading the file > ./sscep_dyn: sending certificate request > ./sscep_dyn: error while sending message > > > HERE are the Openxpki logs : > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP incoming request, id > EC6B7939CE785764476E61D4C5C5F340 > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP try to start new workflow for > EC6B7939CE785764476E61D4C5C5F340 > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_initialize on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_extract_csr on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.WARN SCEP csr key size is ok > (rsaEncryption / 2048) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP csr hash type is ok (sha1) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP subject rendering enabled ( > I18N_OPENXPKI_PROFILE_TLS_SERVER / enroll ) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:44:59 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP signer subject: > CN=test6.it-factory.prod.lan - is selfsign > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_calculate_hmac on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_set_workflow_attributes on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_fetch_group_policy on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_eval_signer_trust > on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.WARN Trusted Signer chain > validation FAILED > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:00 openxpki.application.INFO > <http://openxpki.application.INFO> Trusted Signer not found in trust > list (CN=test6.it-factory.prod.lan). > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_set_request_mode > on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_eval_eligibility > on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Eligibility check for > scep.scep-ca-prod.eligible.initial granted > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_revoke_existing_certs on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP autorevoke - no active certs > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_revoke_existing_certs on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP autorevoke - no active certs > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_calc_approvals on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP auto approval for initial > enrollment of > CN=test6.it-factory.prod.lan,DC=it-factory,O=DRS,L=Monaco,ST=Monaco,C=MC > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.audit.approval.INFO > <http://openxpki.audit.approval.INFO> scep add approval > pointHASH(0x81f0f48) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP got required approval points > (1/0) for > CN=test6.it-factory.prod.lan,DC=it-factory,O=DRS,L=Monaco,ST=Monaco,C=MC > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.audit.approval.INFO > <http://openxpki.audit.approval.INFO> scep request fully > approvedHASH(0x81da050) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop2 on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action scep_persist_csr on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:01 openxpki.application.INFO > <http://openxpki.application.INFO> persisted csr for > CN=test6.it-factory.prod.lan,DC=it-factory,O=DRS,L=Monaco,ST=Monaco,C=MC > with csr_serial 4863 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > global_nice_issue_certificate on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> start cert issue for serial 4863, > workflow 30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Certificate > CN=test6.it-factory.prod.lan,DC=it-factory,O=DRS,L=Monaco,ST=Monaco,C=MC > (283339545891964645657727) issued by ca-prod-signer-1 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.audit.cakey.INFO > <http://openxpki.audit.cakey.INFO> certificate signedHASH(0x8248c28) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.audit.entity.INFO > <http://openxpki.audit.entity.INFO> certificate issuedHASH(0x8230630) > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_persist_cert_metadata on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_notify_cert_issued on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Trigger notification message > scep_cert_issued > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.system.WARN Not a mail address: > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.system.WARN Failed sending notification - > no receipient > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_noop on > workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_publish_certificate on workflow #30463 > [pid=12497|sid=TSco|wftype=enrollment|wfid=30463|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action certpublish_initialize > on workflow #30719 > [pid=12497|sid=TSco|wftype=certificate_publishing|wfid=30719|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_disconnect on > workflow #30719 > [pid=12497|sid=TSco|wftype=certificate_publishing|wfid=30719|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Action global_disconnect paused > (I18N_OPENXPKI_UI_WORKFLOW_MOVE_TO_BACKGROUND), wakeup > 2018-09-27T13:45:03 > [pid=12497|sid=TSco|wftype=certificate_publishing|wfid=30719|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 Workflow.ERROR Caught exception from action: > [Generic exception]; reset workflow to old state 'WAITING_FOR_START' > [pid=12497|sid=TSco|wftype=certificate_publishing|wfid=30719|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Publishing workflow created with id > 30719 [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:02 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > scep_invalidate_challenge_pass on workflow #30463 > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:03 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP started new workflow with id > 30463, state SUCCESS > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:03 system.crypto.ERROR OpenSSL error: OpenCA Simple > Certificate Enrollment Protocol Tools > (c) 2002 by Massimiliano Pala and OpenCA Group > OpenCA licensed software > > USAGE: openca-scep [ args ] > > -new build a new SCEP message. > -in file input SCEP message file (default is stdin) > -out file write SCEP message to file (default is stdout). > -inform input data format (default is PEM). > -outform output data format (default is PEM). > -signcert file signer certificate for SCEP message. > -signcertform certificate file format (default is PEM). > -reccert file recipient encoding certificate for SCEP message. > -reccertform certificate file format (default is PEM). > -keyfile file decoding secret key file. > -keyform decoding secret key file format (default is PEM). > -passin arg Password passing method (check openssl for options). > -passwd pwd Password protecting the private key (if any). > -CAfile file CA's trusted certificate. > -CAform CA's trusted certificate format (default is PEM). > > New Message Extensions: > > -msgtype <arg> new message format type (default is PKCSReq). > -print_serial print serial (CertReq msgtype). > -status <arg> new SCEP message status (SUCCESS|PENDING|FAILURE). > -failinfo <arg> new SCEP message failure info ( BadAlg|... ). > -recnonce <arg> new SCEP message Recipient NONCE val (i.e. 04:A4:...). > -sendnonce <arg> new SCEP message Sender NONCE val (i.e. 04:06:FF:...). > -copynonce copy NONCE from input message (generate the reply). > -des encrypt envelope with normal des (default is 3des). > > Data Content (to be added in the envelope): > > -reqfile file pkcs#10 request to be included into the PKCSReq. > -reqformat file pkcs#10 request's format. > -crlfile file CRL to be included into the CertRep Message. > -crlformat file CRL's format. > -issuedcert file issued cert to be added to a SUCCESS CertRep msg. > -issuedcertform issued cert file format (default is PEM). > -serial serial of requested certificate (CertReq msgtype). > -text Prints out data in human readable form. > -print_scert print signer's certificate. > -print_req print request data (PKCSReq messages). > -print_crl print CRL (CertRep messages). > -print_sendnonce print used sender NONCE. > -print_recnonce print used recipient NONCE. > -print_transid print used transaction ID. > -print_msgtype print message type. > -noout Do not output original data. > -version Print Package Version and exits. > -debug Output Debugging information. > -v Talk alot while doing things > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:03 openxpki.system.ERROR > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256 > [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:03 openxpki.system.ERROR > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::SCEP::Command::create_certificate_reply; > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 256 [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:03 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::SCEP::Command::create_certificate_reply; > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 256 [pid=12497|sid=TSco|sceptid=EC6B7939CE785764476E61D4C5C5F340] > 2018/09/27 15:45:07 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_disconnect on > workflow #30719 [pid=12511|user=scep-ca-prod|role=RA Operator|sid=TpPB] > 2018/09/27 15:45:07 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > certpublish_publish_profile on workflow #30719 > [pid=12511|user=scep-ca-prod|role=RA Operator|sid=TpPB] > 2018/09/27 15:45:07 openxpki.application.INFO > <http://openxpki.application.INFO> Start publication to > test6.it-factory.prod.lan for > CN=test6.it-factory.prod.lan,DC=it-factory,O=DRS,L=xxxxx,ST=xxxxx,C=xx > [pid=12511|user=scep-ca-prod|role=RA Operator|sid=TpPB] > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
