Sorry - in my last mail the follwowing line was of course wrong: 'Only difference is that within the Workflow context I see "signer_validity_ok = 1" insead of previously "signer_validity_ok = 1"' Correct would be of course: 'Only difference is that within the Workflow context I see "signer_validity_ok = 1" insead of previously "signer_validity_ok = 0"'
Additionally here is the workflow context as a whole .. maybe this is helpful? cert_profile I18N_OPENXPKI_PROFILE_TLS_SERVER cert_subject CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org cert_subject_parts CDECNc0e6458188af0LFreudenbergOExample Corp cert_subject_style enroll creator scep-server-1 csr_digest_alg sha256 csr_key_alg rsa csr_key_params key_length2048 csr_subject CN=c0e6458188af0,O=Example Corp,L=Freudenberg,C=DE csr_subject_key_identifier 93:EA:CF:CA:14:31:41:E1:D9:C2:D5:5A:02:1A:B0:CA:AD:16:AB:09 error_code Requester is not in authorized signer list. interface scep p_allow_anon_enroll 0 p_allow_eligibility_recheck 0 p_allow_man_approv 1 p_allow_man_authen 1 p_allow_replace 1 p_approval_points 1 p_auto_revoke_existing_certs 1 p_max_active_certs 1 pkcs10 -----BEGIN CERTIFICATE REQUEST----- MIIClzCCAX8CAQAwUjELMAkGA1UEBhMCREUxFDASBgNVBAcMC0ZyZXVkZW5iZXJn MRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxFjAUBgNVBAMMDWMwZTY0NTgxODhhZjAw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCowncKGWtoWCmFi0IEjDkU xi2wIiW+AZ5zoveyw9i7oq+ovlVgSvNc7im8fd1Tzud9GUJa+DCx/HXzeVLRfGSQ m91F3nmlGNWLTI6qaa6WUlKTl3ZBxXqw/e1P6LvWGZDXw0CYc1oED7CFPOt9i5of DTXBXvPjJBk6TRhi4Eek141bqMjKdk+Mp4hB6RityRI0uHnnNqiL1j9M+ba3zJ3K Du2yv9joWAc4LI+R5Fog42frEc0/RoKGsbJ+8U/1iUZdktZQQ8EOFiD9j/eDS2ao TKnCuXUQ20IVRiWa7YTPGCydOqy96QcMaq8zFxNaUXbYCVvw5flXtVweSYM6wPzv AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAXk/HvaBiTM7iEaP7Zf/GoxLOAEQw tSLSQM/a313nKq2gg2WQmiYScHWWBNxCBqxotFBUJRp38L7arvzwFUzTUKsvxCSF TQ/rmNLukqkyBXrSaI5w1sidNBspXmBYS8bCI0rZiHav3/D5A93xep6864pZFQJe CZt58Uea1j1LpGeWC2A/r/1wQyXqr80HmxMij8pOHjKGpvSNZbZSzSzneLyasL1f 5jZL+7LM+i5AYdlkynnUJ8yGWoTnYpy+jbDTAJ7R7OBLYHkJQ81D7QKHNx9fjBa4 D5e3/KmF7UD/PT0usBUmvqQ/tU9tQ8QkXa1tl61IsoWFNLMFZIeXjRJNFA== -----END CERTIFICATE REQUEST----- request_mode initial server scep-server-1 signer_authorized 0 signer_cert -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIgMTUzMEMwMjE5NDcxRDkwMUY3REFGQkFDNUEzQUM4NEMw DQYJKoZIhvcNAQEEBQAwUjELMAkGA1UEBhMCREUxFDASBgNVBAcMC0ZyZXVkZW5i ZXJnMRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxFjAUBgNVBAMMDWMwZTY0NTgxODhh ZjAwHhcNMTgxMDE2MTEzNzA5WhcNMTgxMDIyMTMzNzA5WjBSMQswCQYDVQQGEwJE RTEUMBIGA1UEBwwLRnJldWRlbmJlcmcxFTATBgNVBAoMDEV4YW1wbGUgQ29ycDEW MBQGA1UEAwwNYzBlNjQ1ODE4OGFmMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKjCdwoZa2hYKYWLQgSMORTGLbAiJb4BnnOi97LD2Luir6i+VWBK81zu Kbx93VPO530ZQlr4MLH8dfN5UtF8ZJCb3UXeeaUY1YtMjqpprpZSUpOXdkHFerD9 7U/ou9YZkNfDQJhzWgQPsIU8632Lmh8NNcFe8+MkGTpNGGLgR6TXjVuoyMp2T4yn iEHpGK3JEjS4eec2qIvWP0z5trfMncoO7bK/2OhYBzgsj5HkWiDjZ+sRzT9Ggoax sn7xT/WJRl2S1lBDwQ4WIP2P94NLZqhMqcK5dRDbQhVGJZrthM8YLJ06rL3pBwxq rzMXE1pRdtgJW/Dl+Ve1XB5JgzrA/O8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA U4Oo1BaL8jt9B6461HaeJVdkRY0SDwijzeKi/gE3MciMHppXFRLcHjsPVVNAvFEh wtGsRKpICO5HyXjDRHwJ8lLJtTZpGNyWFXTB2rkGEZyEP3eLLD3iTn/RG25VIhao Gy7brfC0tQwbkewhPta9NIbTWWNcnVjhUpdOc+vMlc+lVqktlUmFF5g4SXQ4KxaG NE36WFvwB4rmQ15ErcWB5GI0R+lZGw2Hby/MJaJ9t47vZweROmmJhmCvuaCh8R6E RFsmTrdMN8kICM9ScGIyTXBjVUNWyeObv91a96tzzo1fzVYbsxnSf+j6PwEYPIJ7 6DxZjBzS70Gl5aJlo4oxEg== -----END CERTIFICATE----- signer_cert_identifier T97R-qw_jDmz4xc3cL_r9-z7GaU <https://192.168.33.27/openxpki/#/openxpki/certificate!detail!identifier!T97R-qw_jDmz4xc3cL_r9-z7GaU> signer_in_current_realm 0 signer_revoked 0 signer_subject CN=c0e6458188af0,O=Example Corp,l=Freudenberg,C=DE signer_subject_key_identifier 93:EA:CF:CA:14:31:41:E1:D9:C2:D5:5A:02:1A:B0:CA:AD:16:AB:09 signer_trusted 0 signer_validity_ok 1 sources _url_paramsapicert_subject_alt_namePROFILEcert_subject_partsPKCS10interface apipkcs10apireq_attributesPKCS10req_extensionsPKCS10serverapisigner_certapi transaction_idapi transaction_id 1530C0219471D901F7DAFBAC5A3AC84C url_remote_addr 192.168.33.32 wf_current_action global_set_error_signer_not_authorized workflow_id 1791 Am Di., 16. Okt. 2018 um 13:46 Uhr schrieb Martin Krämer < [email protected]>: > Hi Martin, > > thank you for reply and detailed explanation. > > Like you suggested I have removed the ST attribute completely. > Unfortunately the result is still the same. > Only difference is that within the Workflow context I see "signer_validity_ok > = 1" insead of previously "signer_validity_ok = 1" > > Once again the CSR & KEY if required: > CSR: *https://pastebin.com/jkiAUTaE <https://pastebin.com/jkiAUTaE>* > KEY: *https://pastebin.com/zRtYDnGY <https://pastebin.com/zRtYDnGY>* > > Here are the client ouputs (I have put the commands from yesterday in a > short script for easier usage): > > *root@c0e6458188af0:~# /root/sscep-request.sh * > *create certificate request* > *Generating a 2048 bit RSA private key* > *...................................................................+++* > *......+++* > *writing new private key to '/tmp/scep/scep-test.key'* > *-----* > *run sscep enroll* > *sscep: starting sscep, version 0.6.1* > *sscep: new transaction* > *sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E* > *sscep: hostname: openxpki-000001* > *sscep: directory: scep/scep* > *sscep: port: 80* > *sscep: Read request with transaction id: > 1530C0219471D901F7DAFBAC5A3AC84C* > *sscep: generating selfsigned certificate* > *sscep: SCEP_OPERATION_ENROLL* > *sscep: sending certificate request* > *sscep: creating inner PKCS#7* > *sscep: inner PKCS#7 in mem BIO * > *sscep: request data dump * > *-----BEGIN CERTIFICATE REQUEST-----* > *MIIClzCCAX8CAQAwUjELMAkGA1UEBhMCREUxFDASBgNVBAcMC0ZyZXVkZW5iZXJn* > *MRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxFjAUBgNVBAMMDWMwZTY0NTgxODhhZjAw* > *ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCowncKGWtoWCmFi0IEjDkU* > *xi2wIiW+AZ5zoveyw9i7oq+ovlVgSvNc7im8fd1Tzud9GUJa+DCx/HXzeVLRfGSQ* > *m91F3nmlGNWLTI6qaa6WUlKTl3ZBxXqw/e1P6LvWGZDXw0CYc1oED7CFPOt9i5of* > *DTXBXvPjJBk6TRhi4Eek141bqMjKdk+Mp4hB6RityRI0uHnnNqiL1j9M+ba3zJ3K* > *Du2yv9joWAc4LI+R5Fog42frEc0/RoKGsbJ+8U/1iUZdktZQQ8EOFiD9j/eDS2ao* > *TKnCuXUQ20IVRiWa7YTPGCydOqy96QcMaq8zFxNaUXbYCVvw5flXtVweSYM6wPzv* > *AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAXk/HvaBiTM7iEaP7Zf/GoxLOAEQw* > *tSLSQM/a313nKq2gg2WQmiYScHWWBNxCBqxotFBUJRp38L7arvzwFUzTUKsvxCSF* > *TQ/rmNLukqkyBXrSaI5w1sidNBspXmBYS8bCI0rZiHav3/D5A93xep6864pZFQJe* > *CZt58Uea1j1LpGeWC2A/r/1wQyXqr80HmxMij8pOHjKGpvSNZbZSzSzneLyasL1f* > *5jZL+7LM+i5AYdlkynnUJ8yGWoTnYpy+jbDTAJ7R7OBLYHkJQ81D7QKHNx9fjBa4* > *D5e3/KmF7UD/PT0usBUmvqQ/tU9tQ8QkXa1tl61IsoWFNLMFZIeXjRJNFA==* > *-----END CERTIFICATE REQUEST-----* > *sscep: data payload size: 667 bytes* > *sscep: successfully encrypted payload* > *sscep: envelope size: 1327 bytes* > *sscep: creating outer PKCS#7* > *sscep: signature added successfully* > *sscep: adding signed attributes* > *sscep: adding string attribute transId* > *sscep: adding string attribute messageType* > *sscep: adding octet attribute senderNonce* > *sscep: PKCS#7 data written successfully* > *sscep: applying base64 encoding* > *sscep: base64 encoded payload size: 3852 bytes* > *sscep: server returned status code 200* > *sscep: MIME header: x-pki-message* > *sscep: valid response from server* > *sscep: reading outer PKCS#7* > *sscep: PKCS#7 payload size: 2263 bytes* > *sscep: PKCS#7 contains 0 bytes of enveloped data* > *sscep: verifying signature* > *sscep: signature ok* > *sscep: finding signed attributes* > *sscep: finding attribute transId* > *sscep: allocating 32 bytes for attribute* > *sscep: reply transaction id: 1530C0219471D901F7DAFBAC5A3AC84C* > *sscep: finding attribute messageType* > *sscep: allocating 1 bytes for attribute* > *sscep: reply message type is good* > *sscep: finding attribute senderNonce* > *sscep: allocating 16 bytes for attribute* > *sscep: senderNonce in reply: 4B58A8A856766D6E73468A23D4A3659E* > *sscep: finding attribute recipientNonce* > *sscep: allocating 16 bytes for attribute* > *sscep: recipientNonce in reply: 7C694BF704971EFBE53D23C4E89D4A06* > *sscep: finding attribute pkiStatus* > *sscep: allocating 1 bytes for attribute* > *sscep: pkistatus: FAILURE* > *sscep: finding attribute failInfo* > *sscep: allocating 1 bytes for attribute* > *sscep: reason: Transaction not permitted or supported* > *root@c0e6458188af0:~#* > > > And the logfiles of the openxpki server: > > *root@openxpki-000001:~# cat /var/log/openxpki/scep.log * > > *2018/10/16 11:37:09 DEBUG:8748 Config for service scep loaded* > *2018/10/16 11:37:09 INFO:8748 SCEP handler initialized* > *2018/10/16 11:37:09 DEBUG:8748 Autodetect config file for service scep: > scep.conf* > *2018/10/16 11:37:09 DEBUG:8748 No config file found, falling back to > default* > *2018/10/16 11:37:09 INFO:8748 Incoming request from 192.168.33.32 with > PKIOperation* > *2018/10/16 11:37:10 DEBUG:8748 Response send* > *root@openxpki-000001:~# cat /var/log/openxpki/catchall.log * > > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP incoming request, id > 1530C0219471D901F7DAFBAC5A3AC84C > [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP try to start new workflow for > 1530C0219471D901F7DAFBAC5A3AC84C > [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action enroll_initialize on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_map_url_params on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > enroll_set_workflow_attributes on workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_load_policy on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action global_set_profile on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:09 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action enroll_parse_pkcs10 on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action enroll_render_subject on > workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Rendering subject: > CN=c0e6458188af0,DC=Test Deployment,DC=OpenXPKI,DC=org > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > enroll_set_workflow_attributes on workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > global_check_authorized_signer on workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.WARN Trusted Signer chain > validation FAILED > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Trusted Signer not found in trust list > (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,C=DE). > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action enroll_set_mode_onbehalf > on workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> Execute action > global_set_error_signer_not_authorized on workflow #1791 > [pid=8749|sid=VKiE|wftype=certificate_enroll|wfid=1791|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP started new workflow with id 1791, > state FAILURE [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *2018/10/16 11:37:10 openxpki.application.ERROR SCEP Request failed > without error code set - default to badRequest > [pid=8749|sid=VKiE|sceptid=1530C0219471D901F7DAFBAC5A3AC84C]* > *root@openxpki-000001:~# cat /var/log/openxpki/workflows.log * > > *2018/10/16 11:37:09 1791 Execute action enroll_initialize on workflow > #1791 * > *2018/10/16 11:37:09 1791 Execute action global_map_url_params on workflow > #1791 * > *2018/10/16 11:37:09 1791 Execute action enroll_set_workflow_attributes on > workflow #1791 * > *2018/10/16 11:37:09 1791 Execute action global_load_policy on workflow > #1791 * > *2018/10/16 11:37:09 1791 Execute action global_set_profile on workflow > #1791 * > *2018/10/16 11:37:09 1791 Execute action enroll_parse_pkcs10 on workflow > #1791 * > *2018/10/16 11:37:10 1791 Execute action enroll_render_subject on workflow > #1791 * > *2018/10/16 11:37:10 1791 Rendering subject: CN=c0e6458188af0,DC=Test > Deployment,DC=OpenXPKI,DC=org * > *2018/10/16 11:37:10 1791 Execute action enroll_set_workflow_attributes on > workflow #1791 * > *2018/10/16 11:37:10 1791 Execute action global_check_authorized_signer on > workflow #1791 * > *2018/10/16 11:37:10 1791 Trusted Signer chain validation FAILED * > *2018/10/16 11:37:10 1791 Trusted Signer not found in trust list > (CN=c0e6458188af0,O=Example Corp,l=Freudenberg,C=DE). * > *2018/10/16 11:37:10 1791 Execute action enroll_set_mode_onbehalf on > workflow #1791 * > *2018/10/16 11:37:10 1791 Execute action > global_set_error_signer_not_authorized on workflow #1791 * > *root@openxpki-000001:~# * > > > > Am Mo., 15. Okt. 2018 um 20:05 Uhr schrieb Martin Bartosch < > [email protected]>: > >> Hi, >> >> > CSR: https://pastebin.com/etyybJx8 >> >> Your CSR Subject contains an invalid encoding of the ST attribute. The >> DER encoding states that this is a UTF8STRING, but it isn’t. >> The reason the workflow very likely fails is that it checks string >> equality of the CSR Subject CSR and a self-signed Cert CSR which the sscep >> tool builds on-the-fly. Due to the broken encoding the string equality >> match on the server side is false, and this results in the workflow >> branching in the „enrollment on behalf“ case. This case is not >> allowed/configured on your server, hence the request gets rejected. >> >> My suggestion is to try to send a request without funny Umlauts and once >> this works retry with correct UTF8 encoding. Please note that this also >> requires sscep to handle UTF8 properly. Don’t know if that’s the case. >> >> (Personal side note: I’d probably completely leave out the ST attribute >> for certificates used in Europe/Germany. I'd even go one step further, >> using the DC notation for EE certs. But that’s probably a matter of taste.) >> >> Cheers >> >> Martin >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
