Hi Darcy, one question I can not answer myself from the logs - did you have an L and/or ST attribute in your CSR (there is a bug!)? If so, please remove it and try again - with the sample profiles only the CN is used, so anything else is ignored.
If this is not the case, please try to enroll against our publich demo http://oxi-ee-demo.whiterabbitsecurity.com/scep/scep or send me your CSR/Key or openssl command to generate a similar CSR. best regards Oliver Am 29.10.2018 um 18:27 schrieb Darcy Watkins: > Hi, > > Included some of the log file output... > > Thanks in advance. > > On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote: >> Hi, >> >> I set up the... >> >> scep.SERVER.policy.allow_anon_enroll: 1 >> >> ...and it doesn't seem to make any difference. Still get the same >> error response. >> >> For the step immediately before the scep-enroll (generating the key, >> etc), apart from the challenge secret specified in the online doc, is >> there anything special that I should be entering in as all the other >> fields I am prompted for? >> >> Regarding the security concern, this is a test server setup for proof >> of concept. >> >> > > /var/log/openxpki/scep.log ... > > 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for service scep: > scep.conf > 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling back to > default > 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139 with > PKIOperation > 2018/10/29 10:05:27 DEBUG:2507 Response send > > /var/log/openxpki/workflows.log ... > > 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90 > ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org > 2018/10/29 10:05:26 1791 Trusted Signer chain validation FAILED > 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list > (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some- > State,C=AU). > > /var/log/openxpki/catchall.log > > 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming request, id > 15C68437136E8C61175F791E0E5169DE > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] > 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start new > workflow for 15C68437136E8C61175F791E0E5169DE > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] > 2018/10/29 10:05:26 openxpki.application.INFO Rendering subject: > CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 > 136E8C61175F791E0E5169DE] > 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer chain > validation FAILED > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 > 136E8C61175F791E0E5169DE] > 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer not found > in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty > Ltd,S=Some-State,C=AU). > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 > 136E8C61175F791E0E5169DE] > 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new workflow > with id 1791, state FAILURE > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] > 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request failed > without error code set - default to badRequest > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] > > > > > >> >> Regards, >> >> Darcy >> >> Darcy Watkins :: Senior Staff Engineer, Firmware >> >> SIERRA WIRELESS >> Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +1 604 >> 231 1100 >> 13811 Wireless Way :: Richmond, BC Canada V6V 3A4 >> [P2] >> [email protected] :: www.sierrawireless.com >> >> -----Original Message----- >> From: Martin Bartosch <[email protected]> >> Sent: October-27-18 7:19 AM >> To: [email protected] >> Subject: Re: [OpenXPKI-users] FW: SCEP server setup >> >> Hi, >> >>> I followed the instructions at https://na01.safelinks.protection.ou >>> tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest% >>> 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawireless.com% >>> 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcb >>> e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2FX68WCcU >>> 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test server >>> configuration and can log in, etc. I built an sscep client to test >>> the SCEP service. Everything appears to work OK up to the last >>> stage. >>> >>> For the last stage, >>> >>> sscep enroll -u https://na01.safelinks.protection.outlook.com/?url= >>> http%3A%2F%2Fcarmd-er- >>> n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%7Cdwatki >>> ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a >>> 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=2 >>> bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserved=0 \ >>> -k tmp/scep-test.key -r tmp/scep-test.csr \ >>> -c tmp/cacert-0 \ >>> -l tmp/scep-test.crt \ >>> -t 10 -n 1 >>> >>> I get the following error: >>> >>> sscep: sending certificate >>> request >>> >>> sscep: valid response from >>> server >>> >>> sscep: reply transaction id: >>> 1C80739573B63A52747F2A777BCF6112 >>> >>> sscep: pkistatus: >>> FAILURE >>> >>> sscep: reason: Transaction not permitted or >>> supported >>> >> >> The command you use tries to perform an anonymous initial enrollment >> against the SCEP server. The OpenXPKI team believes that certificate >> enrollment should be both authenticated and authorized, hence >> anonymous SCEP initial enrollment is disabled by default. >> >> If you wish to allow this, set >> >> scep.SERVER.policy.allow_anon_enroll: 1 >> >> in your configuration. You should consider the security implications >> for production deployments. >> >> Cheers >> >> Martin >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist >> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki- >> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec26575 >> 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636 >> 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4OwParflCE >> %3D&reserved=0 >> -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
