Hi Oliver, like I already said it is just my test environment (which will I recreate on a monthly/frequent basis). So no problem to send csr & key:
CSR: https://pastebin.com/etyybJx8 KEY: https://pastebin.com/zh4jbTw3 Additionally below are the ouputs of my client commands & the server side log entries. Big thank you for your help at this point :) *root@c0e6458188af0:~# openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 -nodes -passin pass:$pass -subj "${SUBJECTPATH}/CN=${HOSTNAME}"* *Generating a 2048 bit RSA private key* *...........+++* *.........................................................................................................+++* *writing new private key to '/tmp/scep/scep-test.key'* *-----* *root@c0e6458188af0:~# sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c $scepra_crt_f -l $crt_f -t 10 -n 1* *sscep: starting sscep, version 0.6.1* *sscep: new transaction* *sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E* *sscep: hostname: openxpki-000001* *sscep: directory: scep/scep* *sscep: port: 80* *sscep: Read request with transaction id: 1A4A3035867CB089EFE592F20A8BF140* *sscep: generating selfsigned certificate* *sscep: SCEP_OPERATION_ENROLL* *sscep: sending certificate request* *sscep: creating inner PKCS#7* *sscep: inner PKCS#7 in mem BIO * *sscep: request data dump * *-----BEGIN CERTIFICATE REQUEST-----* *MIICvTCCAaUCAQAweDELMAkGA1UEBhMCREUxJDAiBgNVBAgMG0JhZGVuLVfDg8K8* *cnR0ZW1iZXJnIFJlZ2lvbjEUMBIGA1UEBwwLRnJldWRlbmJlcmcxFTATBgNVBAoM* *DEV4YW1wbGUgQ29ycDEWMBQGA1UEAwwNYzBlNjQ1ODE4OGFmMDCCASIwDQYJKoZI* *hvcNAQEBBQADggEPADCCAQoCggEBANmOrwZpE83dtnX4FR0GEiqJhyhQukfFjCet* *uH9bS4bduPUprP5fz7TlX7vuocVdQJR6eQnjQkuZpjpI3Px8N408dEgmdjlfDxF7* *aNGWm7Eaoy22deYT4NQ7mwCBBtMRLqoLj6P+WMLZ0yP3HTvvSvhZsAzdNZUwI2kF* *MuR0Z3irm3Ynmq4Fy7wEUfbsS4l4DmwLbkpa2EC7kgXxmmd+X2LxUPO9U8WBaYyD* *swYZlU9HYDJ396uRWOpJ7ZG6hWbTvSq+Ons+hA7AnecHewRB/Jfeg0N7TK94jMLe* *GtQCeThcqrm/+38AR/SFhMw3cU2UFLGRDJ2Dje1xiBLsunYjzT8CAwEAAaAAMA0G* *CSqGSIb3DQEBCwUAA4IBAQAI29iqiiOl4R20fSYQbtifMP9WB3X0tX0WjTuDozcA* *jpp6Z5qdydL2w1ndF/DbR4KB7VMx1Kx2sCpAtYJtkgTPXXNJSLyIS3NKvqRDGUq9* *CxphcfJjW1fXDz0s8GfDYPLv/KxtRMXH5z9wyiLzcRRH0c2WD/2nsgJjYstvlPf1* *BVpetB3MwdA9T5qYRKNTzZcpBPw4yQqg4EzYwBBfoT0vLZ4UiWfpLfvEDd4RBpB3* *eLz5MaLvIkfE2fDU/Cki0WG6khGl9Rz+lgzS7pvUkXHCwvTj4qZ3PXiJ+JRGD6hp* *YRuN0aI5X0RkMILQ0Q49GU1WjAllRSflC8209pnedK46* *-----END CERTIFICATE REQUEST-----* *sscep: data payload size: 705 bytes* *sscep: successfully encrypted payload* *sscep: envelope size: 1367 bytes* *sscep: creating outer PKCS#7* *sscep: signature added successfully* *sscep: adding signed attributes* *sscep: adding string attribute transId* *sscep: adding string attribute messageType* *sscep: adding octet attribute senderNonce* *sscep: PKCS#7 data written successfully* *sscep: applying base64 encoding* *sscep: base64 encoded payload size: 4063 bytes* *sscep: server returned status code 200* *sscep: MIME header: x-pki-message* *sscep: valid response from server* *sscep: reading outer PKCS#7* *sscep: PKCS#7 payload size: 2263 bytes* *sscep: PKCS#7 contains 0 bytes of enveloped data* *sscep: verifying signature* *sscep: signature ok* *sscep: finding signed attributes* *sscep: finding attribute transId* *sscep: allocating 32 bytes for attribute* *sscep: reply transaction id: 1A4A3035867CB089EFE592F20A8BF140* *sscep: finding attribute messageType* *sscep: allocating 1 bytes for attribute* *sscep: reply message type is good* *sscep: finding attribute senderNonce* *sscep: allocating 16 bytes for attribute* *sscep: senderNonce in reply: ED8594E1F9B611BCDF77F733CA93D0BF* *sscep: finding attribute recipientNonce* *sscep: allocating 16 bytes for attribute* *sscep: recipientNonce in reply: 81A68EAC92BF80D4B582C6ACD2D94749* *sscep: finding attribute pkiStatus* *sscep: allocating 1 bytes for attribute* *sscep: pkistatus: FAILURE* *sscep: finding attribute failInfo* *sscep: allocating 1 bytes for attribute* *sscep: reason: Transaction not permitted or supported* *root@c0e6458188af0:~# * *root@openxpki-000001:~# cat /var/log/openxpki/scep.log * *2018/10/15 15:34:33 DEBUG:2813 Autodetect config file for service scep: scep.conf* *2018/10/15 15:34:33 DEBUG:2813 No config file found, falling back to default* *2018/10/15 15:34:33 INFO:2813 Incoming request from 192.168.33.32 with PKIOperation* *2018/10/15 15:34:34 DEBUG:2813 Response send* *root@openxpki-000001:~# cat /var/log/openxpki/workflows.log * *2018/10/15 15:34:33 1279 Execute action enroll_initialize on workflow #1279 * *2018/10/15 15:34:33 1279 Execute action global_map_url_params on workflow #1279 * *2018/10/15 15:34:33 1279 Execute action enroll_set_workflow_attributes on workflow #1279 * *2018/10/15 15:34:33 1279 Execute action global_load_policy on workflow #1279 * *2018/10/15 15:34:33 1279 Execute action global_set_profile on workflow #1279 * *2018/10/15 15:34:33 1279 Execute action enroll_parse_pkcs10 on workflow #1279 * *2018/10/15 15:34:34 1279 Execute action enroll_render_subject on workflow #1279 * *2018/10/15 15:34:34 1279 Rendering subject: CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org * *2018/10/15 15:34:34 1279 Execute action enroll_set_workflow_attributes on workflow #1279 * *2018/10/15 15:34:34 1279 Execute action global_check_authorized_signer on workflow #1279 * *2018/10/15 15:34:34 1279 Trusted Signer chain validation FAILED * *2018/10/15 15:34:34 1279 Trusted Signer not found in trust list (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,S=Baden-Württemberg Region,C=DE). * *2018/10/15 15:34:34 1279 Execute action enroll_set_mode_onbehalf on workflow #1279 * *2018/10/15 15:34:34 1279 Execute action global_set_error_signer_not_authorized on workflow #1279 * *root@openxpki-000001:~# cat /var/log/openxpki/catchall.log * *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> SCEP incoming request, id 1A4A3035867CB089EFE592F20A8BF140 [pid=2820|sid=yApe|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> SCEP try to start new workflow for 1A4A3035867CB089EFE592F20A8BF140 [pid=2820|sid=yApe|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_initialize on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_map_url_params on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_workflow_attributes on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_load_policy on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_set_profile on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:33 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_parse_pkcs10 on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_render_subject on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Rendering subject: CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_workflow_attributes on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_check_authorized_signer on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.WARN Trusted Signer chain validation FAILED [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Trusted Signer not found in trust list (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,S=Baden-Württemberg Region,C=DE). [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Execute action enroll_set_mode_onbehalf on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> Execute action global_set_error_signer_not_authorized on workflow #1279 [pid=2820|sid=yApe|wftype=certificate_enroll|wfid=1279|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.INFO <http://openxpki.application.INFO> SCEP started new workflow with id 1279, state FAILURE [pid=2820|sid=yApe|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *2018/10/15 15:34:34 openxpki.application.ERROR SCEP Request failed without error code set - default to badRequest [pid=2820|sid=yApe|sceptid=1A4A3035867CB089EFE592F20A8BF140]* *root@openxpki-000001:~#* Am So., 14. Okt. 2018 um 19:43 Uhr schrieb Oliver Welter <[email protected]>: > Hi Martin, > > I am unable to reproduce the problem here...what version on what OS are > you running? Can you upload to pastebin (or send by PM) the CSR/KEY used > so I can check if there are some "hidden characters". > > > From the documentation I understood that there are differnet types of > > requests and I thought which workflow type is started depends on: > > 1. the request type (e.g. if it is enroll or renewal) > > 2. the policy: section of scep-server-1.yaml > > I think you are mixing some terms we use in another way - "worflow type" > is the "overall" workflow in OpenXPKI terms, what you are refering to is > the "type of operational mode" and this is only determined by the data > of the request. The settings in the policy section can just turn on or > off certain authentication/approval modes so workflows are directly send > to failure if something is missing. > > Oliver > > > > Is that correct? > > > > Thanks for your reply > > > > Kind Regards > > > > Martin > > > > > > Am Sa., 13. Okt. 2018 um 16:43 Uhr schrieb Oliver Welter <[email protected] > > <mailto:[email protected]>>: > > > > Hi Martin, > > > > there is nothing to setup for anonymous inital enrollment so it looks > > like the workflow does branch into the wrong subtre. > > > > Can you please check in the workflow view what the values for > > "csr_subject" and "signer_subject" are and if > > csr_subject_key_identifier > > and signer_subject_key_identifier are set and are equal. > > > > Please also open the workflow history and check what "START_*" state > > was > > passed - I assume you see START_ONBEHALF. > > > > best regards > > > > Oliver > > > > > > Am 13.10.2018 um 12:55 schrieb Martin Krämer: > > > Hi Everyone, > > > > > > I am trying to achieve certificate auto enrollment using sscep for > > some > > > debian clients. > > > All scep enroll requests fail with the error "Requester is not in > > > authorized signer list." > > > What I do not understand is where is the authorized signer list > > defined? > > > I thought I am doing unauthorized requests, not requests on behalf > .. > > > why do I need the authorized signer at all? > > > > > > ---- Some more detailed background - I just wanted to put my > > questions > > > first ---- > > > > > > The goal is to have some kind of "zero touch" certificate > enrollment. > > > As a first testing step no authentication is required. > > > ( I do not want to put complexity too high at the moment :) ) > > > > > > I have installed openxpki on debian 8.11 and I am able to get the > CA > > > certificates on my debian 9 clients with sscep installed using: > > > *sscep getca -u $SRV_OPENXPKI -v -c $scepra_crt_f* > > > > > > I then create the certificate request using (which works without > any > > > problem, too): > > > *openssl req -new -keyout $key_f -out $csr_f -newkey rsa:2048 > -nodes > > > -subj "${SUBJECTPATH}/CN=${COMMONNAME}"* > > > * > > > * > > > After this I try to get enroll the certificate using previously > > created csr: > > > *sscep enroll -v -u $SRV_OPENXPKI -k $key_f -r $csr_f -c > > > "${scepra_crt_f}-0" -l $crt_f -t 10 -n 1* > > > > > > The certificate_enroll workflow corresponding to the request fails > > > within openxpki due to error: "Requester is not in authorized > > signer list." > > > > > > The error I can see within openxpki logs are: > > > *openxpki.application.INFO <http://openxpki.application.INFO> > > <http://openxpki.application.INFO> Execute > > > action global_check_authorized_signer on workflow #2815 > > > > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > > *2018/10/13 06:31:14 2815 Trusted Signer chain validation FAILED * > > > *2018/10/13 06:31:14 openxpki.application.WARN Trusted Signer chain > > > validation FAILED > > > > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > > *2018/10/13 06:31:14 2815 Trusted Signer not found in trust list > > > (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE). * > > > *2018/10/13 06:31:14 openxpki.application.INFO > > <http://openxpki.application.INFO> > > > <http://openxpki.application.INFO> Trusted Signer not found in > trust > > > list (CN=testhost.example.corp,O=Example Corp,l=Freudenberg,C=DE. > > > > > > > [pid=32300|sid=Zr0m|wftype=certificate_enroll|wfid=2815|sceptid=01956B34B9767A31F1E92D358A09873B]* > > > > > > I have already tried to make changes according to the following > > entry to > > > mailing list: > > > https://sourceforge.net/p/openxpki/mailman/message/34705147/ > > > > > > And tried to find some information within the following > > documentations: > > > > > > https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html > > > https://media.readthedocs.org/pdf/openxpki/stable/openxpki.pdf > > > > > > Unfortunately all without luck. > > > > > > Maybe you can help me understand. > > > Thanks in advance. > > > > > > Kind Regards > > > > > > Martin > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > OpenXPKI-users mailing list > > > [email protected] > > <mailto:[email protected]> > > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > > -- > > Protect your environment - close windows and adopt a penguin! > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
