Hi, Included some of the log file output...
Thanks in advance. On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote: > Hi, > > I set up the... > > scep.SERVER.policy.allow_anon_enroll: 1 > > ...and it doesn't seem to make any difference. Still get the same > error response. > > For the step immediately before the scep-enroll (generating the key, > etc), apart from the challenge secret specified in the online doc, is > there anything special that I should be entering in as all the other > fields I am prompted for? > > Regarding the security concern, this is a test server setup for proof > of concept. > > /var/log/openxpki/scep.log ... 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for service scep: scep.conf 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling back to default 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139 with PKIOperation 2018/10/29 10:05:27 DEBUG:2507 Response send /var/log/openxpki/workflows.log ... 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org 2018/10/29 10:05:26 1791 Trusted Signer chain validation FAILED 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some- State,C=AU). /var/log/openxpki/catchall.log 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming request, id 15C68437136E8C61175F791E0E5169DE [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start new workflow for 15C68437136E8C61175F791E0E5169DE [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] 2018/10/29 10:05:26 openxpki.application.INFO Rendering subject: CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 136E8C61175F791E0E5169DE] 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer chain validation FAILED [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 136E8C61175F791E0E5169DE] 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer not found in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some-State,C=AU). [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 136E8C61175F791E0E5169DE] 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new workflow with id 1791, state FAILURE [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request failed without error code set - default to badRequest [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] > > Regards, > > Darcy > > Darcy Watkins :: Senior Staff Engineer, Firmware > > SIERRA WIRELESS > Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +1 604 > 231 1100 > 13811 Wireless Way :: Richmond, BC Canada V6V 3A4 > [P2] > [email protected] :: www.sierrawireless.com > > -----Original Message----- > From: Martin Bartosch <[email protected]> > Sent: October-27-18 7:19 AM > To: [email protected] > Subject: Re: [OpenXPKI-users] FW: SCEP server setup > > Hi, > > > I followed the instructions at https://na01.safelinks.protection.ou > > tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest% > > 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawireless.com% > > 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcb > > e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2FX68WCcU > > 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test server > > configuration and can log in, etc. I built an sscep client to test > > the SCEP service. Everything appears to work OK up to the last > > stage. > > > > For the last stage, > > > > sscep enroll -u https://na01.safelinks.protection.outlook.com/?url= > > http%3A%2F%2Fcarmd-er- > > n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%7Cdwatki > > ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a > > 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=2 > > bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserved=0 \ > > -k tmp/scep-test.key -r tmp/scep-test.csr \ > > -c tmp/cacert-0 \ > > -l tmp/scep-test.crt \ > > -t 10 -n 1 > > > > I get the following error: > > > > sscep: sending certificate > > request > > > > sscep: valid response from > > server > > > > sscep: reply transaction id: > > 1C80739573B63A52747F2A777BCF6112 > > > > sscep: pkistatus: > > FAILURE > > > > sscep: reason: Transaction not permitted or > > supported > > > > The command you use tries to perform an anonymous initial enrollment > against the SCEP server. The OpenXPKI team believes that certificate > enrollment should be both authenticated and authorized, hence > anonymous SCEP initial enrollment is disabled by default. > > If you wish to allow this, set > > scep.SERVER.policy.allow_anon_enroll: 1 > > in your configuration. You should consider the security implications > for production deployments. > > Cheers > > Martin > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki- > users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec26575 > 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636 > 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4OwParflCE > %3D&reserved=0 > -- Regards, Darcy Darcy Watkins :: Senior Staff Engineer, Firmware SIERRA WIRELESS Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main + 1 604 231 1100 13811 Wireless Way :: Richmond, BC Canada V6V 3A4 [P1] dwa [email protected] :: www.sierrawireless.com _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
