Hi Darcy, I shouldnt do such things at mdnight - I can see in the logs that there is a ST attribute in your request. So please remove this and all should work - if you are interested in the background -> https://github.com/openxpki/openxpki/issues/674
Oliver Am 30.10.2018 um 23:40 schrieb Oliver Welter: > Hi Darcy, > > one question I can not answer myself from the logs - did you have an L > and/or ST attribute in your CSR (there is a bug!)? If so, please remove > it and try again - with the sample profiles only the CN is used, so > anything else is ignored. > > If this is not the case, please try to enroll against our publich demo > http://oxi-ee-demo.whiterabbitsecurity.com/scep/scep or send me your > CSR/Key or openssl command to generate a similar CSR. > > best regards > > Oliver > > Am 29.10.2018 um 18:27 schrieb Darcy Watkins: >> Hi, >> >> Included some of the log file output... >> >> Thanks in advance. >> >> On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote: >>> Hi, >>> >>> I set up the... >>> >>> scep.SERVER.policy.allow_anon_enroll: 1 >>> >>> ...and it doesn't seem to make any difference. Still get the same >>> error response. >>> >>> For the step immediately before the scep-enroll (generating the key, >>> etc), apart from the challenge secret specified in the online doc, is >>> there anything special that I should be entering in as all the other >>> fields I am prompted for? >>> >>> Regarding the security concern, this is a test server setup for proof >>> of concept. >>> >>> >> >> /var/log/openxpki/scep.log ... >> >> 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for service scep: >> scep.conf >> 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling back to >> default >> 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139 with >> PKIOperation >> 2018/10/29 10:05:27 DEBUG:2507 Response send >> >> /var/log/openxpki/workflows.log ... >> >> 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90 >> ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org >> 2018/10/29 10:05:26 1791 Trusted Signer chain validation FAILED >> 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list >> (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some- >> State,C=AU). >> >> /var/log/openxpki/catchall.log >> >> 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming request, id >> 15C68437136E8C61175F791E0E5169DE >> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start new >> workflow for 15C68437136E8C61175F791E0E5169DE >> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:26 openxpki.application.INFO Rendering subject: >> CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org >> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 >> 136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer chain >> validation FAILED >> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 >> 136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer not found >> in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty >> Ltd,S=Some-State,C=AU). >> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437 >> 136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new workflow >> with id 1791, state FAILURE >> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] >> 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request failed >> without error code set - default to badRequest >> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE] >> >> >> >> >> >>> >>> Regards, >>> >>> Darcy >>> >>> Darcy Watkins :: Senior Staff Engineer, Firmware >>> >>> SIERRA WIRELESS >>> Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +1 604 >>> 231 1100 >>> 13811 Wireless Way :: Richmond, BC Canada V6V 3A4 >>> [P2] >>> [email protected] :: www.sierrawireless.com >>> >>> -----Original Message----- >>> From: Martin Bartosch <[email protected]> >>> Sent: October-27-18 7:19 AM >>> To: [email protected] >>> Subject: Re: [OpenXPKI-users] FW: SCEP server setup >>> >>> Hi, >>> >>>> I followed the instructions at https://na01.safelinks.protection.ou >>>> tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest% >>>> 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawireless.com% >>>> 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcb >>>> e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2FX68WCcU >>>> 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test server >>>> configuration and can log in, etc. I built an sscep client to test >>>> the SCEP service. Everything appears to work OK up to the last >>>> stage. >>>> >>>> For the last stage, >>>> >>>> sscep enroll -u https://na01.safelinks.protection.outlook.com/?url= >>>> http%3A%2F%2Fcarmd-er- >>>> n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%7Cdwatki >>>> ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a >>>> 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=2 >>>> bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserved=0 \ >>>> -k tmp/scep-test.key -r tmp/scep-test.csr \ >>>> -c tmp/cacert-0 \ >>>> -l tmp/scep-test.crt \ >>>> -t 10 -n 1 >>>> >>>> I get the following error: >>>> >>>> sscep: sending certificate >>>> request >>>> >>>> sscep: valid response from >>>> server >>>> >>>> sscep: reply transaction id: >>>> 1C80739573B63A52747F2A777BCF6112 >>>> >>>> sscep: pkistatus: >>>> FAILURE >>>> >>>> sscep: reason: Transaction not permitted or >>>> supported >>>> >>> >>> The command you use tries to perform an anonymous initial enrollment >>> against the SCEP server. The OpenXPKI team believes that certificate >>> enrollment should be both authenticated and authorized, hence >>> anonymous SCEP initial enrollment is disabled by default. >>> >>> If you wish to allow this, set >>> >>> scep.SERVER.policy.allow_anon_enroll: 1 >>> >>> in your configuration. You should consider the security implications >>> for production deployments. >>> >>> Cheers >>> >>> Martin >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist >>> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki- >>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec26575 >>> 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636 >>> 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4OwParflCE >>> %3D&reserved=0 >>> > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
