Hi Darcy, Martin, here is a patch which is somewhat a "quick hack" that makes it work. We are discussing how to move on with this but it should help you to get things working until we have a final solution.
Oliver
diff --git a/core/server/OpenXPKI/Crypt/X509.pm
b/core/server/OpenXPKI/Crypt/X509.pm
index ae8ffcf2a..08360a743 100644
--- a/core/server/OpenXPKI/Crypt/X509.pm
+++ b/core/server/OpenXPKI/Crypt/X509.pm
@@ -63,7 +63,10 @@ has subject => (
lazy => 1,
default => sub {
my $self = shift;
- return join(',', reverse @{$self->_cert()->Subject});
+ return join ",", map {
+ # Replace S -> ST and l => L, see #674
+ $_ =~ s{\AS=}{ST=}; $_ =~ s{\Al=}{L=}; $_
+ } reverse @{$self->_cert()->Subject};
}
);
Am 30.10.2018 um 23:53 schrieb Oliver Welter:
> Hi Darcy,
>
> I shouldnt do such things at mdnight - I can see in the logs that there
> is a ST attribute in your request. So please remove this and all should
> work - if you are interested in the background ->
> https://github.com/openxpki/openxpki/issues/674
>
> Oliver
>
> Am 30.10.2018 um 23:40 schrieb Oliver Welter:
>> Hi Darcy,
>>
>> one question I can not answer myself from the logs - did you have an L
>> and/or ST attribute in your CSR (there is a bug!)? If so, please remove
>> it and try again - with the sample profiles only the CN is used, so
>> anything else is ignored.
>>
>> If this is not the case, please try to enroll against our publich demo
>> http://oxi-ee-demo.whiterabbitsecurity.com/scep/scep or send me your
>> CSR/Key or openssl command to generate a similar CSR.
>>
>> best regards
>>
>> Oliver
>>
>> Am 29.10.2018 um 18:27 schrieb Darcy Watkins:
>>> Hi,
>>>
>>> Included some of the log file output...
>>>
>>> Thanks in advance.
>>>
>>> On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote:
>>>> Hi,
>>>>
>>>> I set up the...
>>>>
>>>> scep.SERVER.policy.allow_anon_enroll: 1
>>>>
>>>> ...and it doesn't seem to make any difference. Still get the same
>>>> error response.
>>>>
>>>> For the step immediately before the scep-enroll (generating the key,
>>>> etc), apart from the challenge secret specified in the online doc, is
>>>> there anything special that I should be entering in as all the other
>>>> fields I am prompted for?
>>>>
>>>> Regarding the security concern, this is a test server setup for proof
>>>> of concept.
>>>>
>>>>
>>>
>>> /var/log/openxpki/scep.log ...
>>>
>>> 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for service scep:
>>> scep.conf
>>> 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling back to
>>> default
>>> 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139 with
>>> PKIOperation
>>> 2018/10/29 10:05:27 DEBUG:2507 Response send
>>>
>>> /var/log/openxpki/workflows.log ...
>>>
>>> 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90
>>> ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
>>> 2018/10/29 10:05:26 1791 Trusted Signer chain validation FAILED
>>> 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list
>>> (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some-
>>> State,C=AU).
>>>
>>> /var/log/openxpki/catchall.log
>>>
>>> 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming request, id
>>> 15C68437136E8C61175F791E0E5169DE
>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start new
>>> workflow for 15C68437136E8C61175F791E0E5169DE
>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:26 openxpki.application.INFO Rendering subject:
>>> CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437
>>> 136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer chain
>>> validation FAILED
>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437
>>> 136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer not found
>>> in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty
>>> Ltd,S=Some-State,C=AU).
>>> [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=15C68437
>>> 136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new workflow
>>> with id 1791, state FAILURE
>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>> 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request failed
>>> without error code set - default to badRequest
>>> [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> Regards,
>>>>
>>>> Darcy
>>>>
>>>> Darcy Watkins :: Senior Staff Engineer, Firmware
>>>>
>>>> SIERRA WIRELESS
>>>> Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +1 604
>>>> 231 1100
>>>> 13811 Wireless Way :: Richmond, BC Canada V6V 3A4
>>>> [P2]
>>>> [email protected] :: www.sierrawireless.com
>>>>
>>>> -----Original Message-----
>>>> From: Martin Bartosch <[email protected]>
>>>> Sent: October-27-18 7:19 AM
>>>> To: [email protected]
>>>> Subject: Re: [OpenXPKI-users] FW: SCEP server setup
>>>>
>>>> Hi,
>>>>
>>>>> I followed the instructions at https://na01.safelinks.protection.ou
>>>>> tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2Flatest%
>>>>> 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawireless.com%
>>>>> 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcb
>>>>> e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2FX68WCcU
>>>>> 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test server
>>>>> configuration and can log in, etc. I built an sscep client to test
>>>>> the SCEP service. Everything appears to work OK up to the last
>>>>> stage.
>>>>>
>>>>> For the last stage,
>>>>>
>>>>> sscep enroll -u https://na01.safelinks.protection.outlook.com/?url=
>>>>> http%3A%2F%2Fcarmd-er-
>>>>> n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%7Cdwatki
>>>>> ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%7C08059a
>>>>> 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&sdata=2
>>>>> bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserved=0 \
>>>>> -k tmp/scep-test.key -r tmp/scep-test.csr \
>>>>> -c tmp/cacert-0 \
>>>>> -l tmp/scep-test.crt \
>>>>> -t 10 -n 1
>>>>>
>>>>> I get the following error:
>>>>>
>>>>> sscep: sending certificate
>>>>> request
>>>>>
>>>>> sscep: valid response from
>>>>> server
>>>>>
>>>>> sscep: reply transaction id:
>>>>> 1C80739573B63A52747F2A777BCF6112
>>>>>
>>>>> sscep: pkistatus:
>>>>> FAILURE
>>>>>
>>>>> sscep: reason: Transaction not permitted or
>>>>> supported
>>>>>
>>>>
>>>> The command you use tries to perform an anonymous initial enrollment
>>>> against the SCEP server. The OpenXPKI team believes that certificate
>>>> enrollment should be both authenticated and authorized, hence
>>>> anonymous SCEP initial enrollment is disabled by default.
>>>>
>>>> If you wish to allow this, set
>>>>
>>>> scep.SERVER.policy.allow_anon_enroll: 1
>>>>
>>>> in your configuration. You should consider the security implications
>>>> for production deployments.
>>>>
>>>> Cheers
>>>>
>>>> Martin
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenXPKI-users mailing list
>>>> [email protected]
>>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
>>>> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
>>>> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b35ec26575
>>>> 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636
>>>> 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4OwParflCE
>>>> %3D&reserved=0
>>>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
