Thanks!
I was able to get this to work using the workaround to leave the state
field blank.
I couldn't use the patch because I didn't install it from source.
This gets me past the first proof-of-concept.
One other question, does this OpenXPKI server also support enrolment /
renewals using the EST protocol?
Regards,
Darcy
On Wed, 2018-10-31 at 07:25 +0100, Oliver Welter wrote:
> Hi Darcy, Martin,
>
> here is a patch which is somewhat a "quick hack" that makes it work.
> We
> are discussing how to move on with this but it should help you to get
> things working until we have a final solution.
>
> Oliver
>
> diff --git a/core/server/OpenXPKI/Crypt/X509.pm
> b/core/server/OpenXPKI/Crypt/X509.pm
> index ae8ffcf2a..08360a743 100644
> --- a/core/server/OpenXPKI/Crypt/X509.pm
> +++ b/core/server/OpenXPKI/Crypt/X509.pm
> @@ -63,7 +63,10 @@ has subject => (
> lazy => 1,
> default => sub {
> my $self = shift;
> - return join(',', reverse @{$self->_cert()->Subject});
> + return join ",", map {
> + # Replace S -> ST and l => L, see #674
> + $_ =~ s{\AS=}{ST=}; $_ =~ s{\Al=}{L=}; $_
> + } reverse @{$self->_cert()->Subject};
> }
> );
>
>
> Am 30.10.2018 um 23:53 schrieb Oliver Welter:
> > Hi Darcy,
> >
> > I shouldnt do such things at mdnight - I can see in the logs that
> > there
> > is a ST attribute in your request. So please remove this and all
> > should
> > work - if you are interested in the background ->
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgi
> > thub.com%2Fopenxpki%2Fopenxpki%2Fissues%2F674&data=02%7C01%7Cdw
> > atkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef9b36d%7C08
> > 059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636765639546014487&sda
> > ta=WJNho2QQH0SkS878vLcuO%2BwORE5mpcKxmf8dqU7Klbc%3D&reserved=0
> >
> > Oliver
> >
> > Am 30.10.2018 um 23:40 schrieb Oliver Welter:
> > > Hi Darcy,
> > >
> > > one question I can not answer myself from the logs - did you have
> > > an L
> > > and/or ST attribute in your CSR (there is a bug!)? If so, please
> > > remove
> > > it and try again - with the sample profiles only the CN is used,
> > > so
> > > anything else is ignored.
> > >
> > > If this is not the case, please try to enroll against our publich
> > > demo
> > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fo
> > > xi-ee-
> > > demo.whiterabbitsecurity.com%2Fscep%2Fscep&data=02%7C01%7Cdwa
> > > tkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef9b36d%7C0
> > > 8059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636765639546014487&
> > > sdata=YWBTJYnE%2FFOl6YSMPm0wBeXYcQL3Sv1y0rmJ5zbVDjY%3D&reserv
> > > ed=0 or send me your
> > > CSR/Key or openssl command to generate a similar CSR.
> > >
> > > best regards
> > >
> > > Oliver
> > >
> > > Am 29.10.2018 um 18:27 schrieb Darcy Watkins:
> > > > Hi,
> > > >
> > > > Included some of the log file output...
> > > >
> > > > Thanks in advance.
> > > >
> > > > On Mon, 2018-10-29 at 09:39 -0700, Darcy Watkins wrote:
> > > > > Hi,
> > > > >
> > > > > I set up the...
> > > > >
> > > > > scep.SERVER.policy.allow_anon_enroll: 1
> > > > >
> > > > > ...and it doesn't seem to make any difference. Still get the
> > > > > same
> > > > > error response.
> > > > >
> > > > > For the step immediately before the scep-enroll (generating
> > > > > the key,
> > > > > etc), apart from the challenge secret specified in the online
> > > > > doc, is
> > > > > there anything special that I should be entering in as all
> > > > > the other
> > > > > fields I am prompted for?
> > > > >
> > > > > Regarding the security concern, this is a test server setup
> > > > > for proof
> > > > > of concept.
> > > > >
> > > > >
> > > >
> > > > /var/log/openxpki/scep.log ...
> > > >
> > > > 2018/10/29 10:05:23 DEBUG:2507 Autodetect config file for
> > > > service scep:
> > > > scep.conf
> > > > 2018/10/29 10:05:23 DEBUG:2507 No config file found, falling
> > > > back to
> > > > default
> > > > 2018/10/29 10:05:23 INFO:2507 Incoming request from 10.1.65.139
> > > > with
> > > > PKIOperation
> > > > 2018/10/29 10:05:27 DEBUG:2507 Response send
> > > >
> > > > /var/log/openxpki/workflows.log ...
> > > >
> > > > 2018/10/29 10:05:26 1791 Rendering subject: CN=MG90
> > > > ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
> > > > 2018/10/29 10:05:26 1791 Trusted Signer chain validation
> > > > FAILED
> > > > 2018/10/29 10:05:26 1791 Trusted Signer not found in trust list
> > > > (CN=MG90 ND63940293011030,O=Internet Widgits Pty Ltd,S=Some-
> > > > State,C=AU).
> > > >
> > > > /var/log/openxpki/catchall.log
> > > >
> > > > 2018/10/29 10:05:24 openxpki.application.INFO SCEP incoming
> > > > request, id
> > > > 15C68437136E8C61175F791E0E5169DE
> > > > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:24 openxpki.application.INFO SCEP try to start
> > > > new
> > > > workflow for 15C68437136E8C61175F791E0E5169DE
> > > > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:26 openxpki.application.INFO Rendering
> > > > subject:
> > > > CN=MG90 ND63940293011030,DC=Test Deployment,DC=OpenXPKI,DC=org
> > > > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
> > > > 15C68437
> > > > 136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:26 openxpki.application.WARN Trusted Signer
> > > > chain
> > > > validation FAILED
> > > > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
> > > > 15C68437
> > > > 136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:26 openxpki.application.INFO Trusted Signer
> > > > not found
> > > > in trust list (CN=MG90 ND63940293011030,O=Internet Widgits Pty
> > > > Ltd,S=Some-State,C=AU).
> > > > [pid=2823|sid=q0eQ|wftype=certificate_enroll|wfid=1791|sceptid=
> > > > 15C68437
> > > > 136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:27 openxpki.application.INFO SCEP started new
> > > > workflow
> > > > with id 1791, state FAILURE
> > > > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
> > > > 2018/10/29 10:05:27 openxpki.application.ERROR SCEP Request
> > > > failed
> > > > without error code set - default to badRequest
> > > > [pid=2823|sid=q0eQ|sceptid=15C68437136E8C61175F791E0E5169DE]
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > Darcy
> > > > >
> > > > > Darcy Watkins :: Senior Staff Engineer, Firmware
> > > > >
> > > > > SIERRA WIRELESS
> > > > > Direct +1 604 233 7989 :: Fax +1 604 231
> > > > > 1109 :: Main +1 604
> > > > > 231 1100
> > > > > 13811 Wireless Way :: Richmond, BC Canada V6V 3A4
> > > > > [P2]
> > > > > [email protected] :: https://na01.safelinks.protect
> > > > > ion.outlook.com/?url=www.sierrawireless.com&data=02%7C01%
> > > > > 7Cdwatkins%40sierrawireless.com%7C00da8055941d4e2daa8e08d63ef
> > > > > 9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C6367656395
> > > > > 46014487&sdata=r%2Bs4AXuNfn2U18ibCCxm2m%2F0sRqnW6nmVcZIDE
> > > > > ntDAU%3D&reserved=0
> > > > >
> > > > > -----Original Message-----
> > > > > From: Martin Bartosch <[email protected]>
> > > > > Sent: October-27-18 7:19 AM
> > > > > To: [email protected]
> > > > > Subject: Re: [OpenXPKI-users] FW: SCEP server setup
> > > > >
> > > > > Hi,
> > > > >
> > > > > > I followed the instructions at https://na01.safelinks.prote
> > > > > > ction.outlook.com/?url=https%3A%2F%2Fna01.safelinks.protect
> > > > > > ion.ou&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C0
> > > > > > 0da8055941d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747
> > > > > > e0dcbe8%7C1%7C0%7C636765639546014487&sdata=srsquaGFsXIJ
> > > > > > nxykaYdoBvIt0l5pWnXS6CNxtL2DUjI%3D&reserved=0
> > > > > > tlook.com/?url=https%3A%2F%2Fopenxpki.readthedocs.io%2Fen%2
> > > > > > Flatest%
> > > > > > 2Fquickstart.html&data=02%7C01%7Cdwatkins%40sierrawirel
> > > > > > ess.com%
> > > > > > 7C52b35ec265754accf17708d63c173056%7C08059a4c248643dd89e33a
> > > > > > 747e0dcb
> > > > > > e8%7C1%7C0%7C636762467632140131&sdata=i2wTz0W7mt1IMR9%2
> > > > > > FX68WCcU
> > > > > > 6jO%2FkQSvcI6obEZuIpx8%3D&reserved=0 to setup a test
> > > > > > server
> > > > > > configuration and can log in, etc. I built an sscep client
> > > > > > to test
> > > > > > the SCEP service. Everything appears to work OK up to the
> > > > > > last
> > > > > > stage.
> > > > > >
> > > > > > For the last stage,
> > > > > >
> > > > > > sscep enroll -u https://na01.safelinks.protection.outlook.c
> > > > > > om/?url=
> > > > > > http%3A%2F%2Fcarmd-er-
> > > > > > n00000.sierrawireless.local%2Fscep%2Fscep&data=02%7C01%
> > > > > > 7Cdwatki
> > > > > > ns%40sierrawireless.com%7C52b35ec265754accf17708d63c173056%
> > > > > > 7C08059a
> > > > > > 4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636762467632140131&
> > > > > > ;sdata=2
> > > > > > bXvvrvmiTf3oWXUuNsXnyOzH%2BmSTH2PO0KfYBD1woI%3D&reserve
> > > > > > d=0 \
> > > > > > -k tmp/scep-test.key -r tmp/scep-test.csr \
> > > > > > -c tmp/cacert-0 \
> > > > > > -l tmp/scep-test.crt \
> > > > > > -t 10 -n 1
> > > > > >
> > > > > > I get the following error:
> > > > > >
> > > > > > sscep: sending certificate
> > > > > > request
> > > > > >
> > > > > >
> > > > > > sscep: valid response from
> > > > > > server
> > > > > >
> > > > > >
> > > > > > sscep: reply transaction id:
> > > > > > 1C80739573B63A52747F2A777BCF6112
> > > > > >
> > > > > >
> > > > > > sscep: pkistatus:
> > > > > > FAILURE
> > > > > >
> > > > > >
> > > > > > sscep: reason: Transaction not permitted or
> > > > > > supported
> > > > > >
> > > > > >
> > > > >
> > > > > The command you use tries to perform an anonymous initial
> > > > > enrollment
> > > > > against the SCEP server. The OpenXPKI team believes that
> > > > > certificate
> > > > > enrollment should be both authenticated and authorized, hence
> > > > > anonymous SCEP initial enrollment is disabled by default.
> > > > >
> > > > > If you wish to allow this, set
> > > > >
> > > > > scep.SERVER.policy.allow_anon_enroll: 1
> > > > >
> > > > > in your configuration. You should consider the security
> > > > > implications
> > > > > for production deployments.
> > > > >
> > > > > Cheers
> > > > >
> > > > > Martin
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > OpenXPKI-users mailing list
> > > > > [email protected]
> > > > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2
> > > > > F%2Flist
> > > > > s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
> > > > > users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C52b3
> > > > > 5ec26575
> > > > > 4accf17708d63c173056%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7
> > > > > C0%7C636
> > > > > 762467632140131&sdata=7ocXP0UGDtkWRkCDlOW8FYCTU6i87KCWK4O
> > > > > wParflCE
> > > > > %3D&reserved=0
> > > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > OpenXPKI-users mailing list
> > > [email protected]
> > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > > lists.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
> > > users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da8055
> > > 941d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7
> > > C0%7C636765639546014487&sdata=ueicdoEBY7rTxKOzFDcOYuaevnjSJkX
> > > wCqST6aoew6Q%3D&reserved=0
> > >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > OpenXPKI-users mailing list
> > [email protected]
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
> > sts.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
> > users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da805594
> > 1d4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7
> > C636765639546014487&sdata=ueicdoEBY7rTxKOzFDcOYuaevnjSJkXwCqST6
> > aoew6Q%3D&reserved=0
> >
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.sourceforge.net%2Flists%2Flistinfo%2Fopenxpki-
> users&data=02%7C01%7Cdwatkins%40sierrawireless.com%7C00da8055941d
> 4e2daa8e08d63ef9b36d%7C08059a4c248643dd89e33a747e0dcbe8%7C1%7C0%7C636
> 765639546024496&sdata=u7YO6jpq76TpL9k3OHJoWoGrpUlnG5K565SW6ISLgbk
> %3D&reserved=0
--
Regards,
Darcy
Darcy Watkins :: Senior Staff Engineer, Firmware
SIERRA
WIRELESS
Direct +1 604 233 7989 :: Fax +1 604 231 1109 :: Main +
1 604 231 1100
13811 Wireless Way :: Richmond, BC Canada V6V 3A4
[P1]
dwa
[email protected] :: www.sierrawireless.com
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
