Hi Robert, to avoid people flushing the system with anonymous requests an "unauthenticated" the default policy is to reject them. Simple solution, just set "allow_man_authen: 0" to 1 - this will hold the request in "Manual Authentication Pending" where it can be accepted via the UI.
Other options are using an HMAC or Challenge Password - have a look at the SCEP config file scep/scep-server-1.yaml - the backend workflow is the same and the options are explained here in detail. Oliver Am 14.03.19 um 10:09 schrieb Robert Pfaff: > Hi at all, > > I’m currently stuck while trying to upload a CSR to OpenXPKI via RPC and let > it signed interactive by an Operator. > While doing this interactive using the UI and logging in as Anonymous > everything works as expected. But with RPC I get an exception (Details below). > The corresponding Workflow exists after the request and also has the correct > CSR in context but with "State FAILURE", "Run State finished", "error_code > Request was not authenticated“ > Did I miss a ting as i.e. a CertificateSearch via RPC works seamlessly. Is > this a version thing? > > Kind regards, > Robert > > openxpkiadm version: Version (core): 1.20.2 > > rpc.log: > 2019/03/14 09:47:06 INFO:28897 RPC handler initialized > 2019/03/14 09:47:06 DEBUG:28897 Autodetect config file for service rpc: .conf > 2019/03/14 09:47:06 DEBUG:28897 No config file found, falling back to default > 2019/03/14 09:47:06 DEBUG:28897 calling context is https > 2019/03/14 09:47:06 DEBUG:28897 RPC unauthenticated (no cert) > 2019/03/14 09:47:06 DEBUG:28897 Initialize client > 2019/03/14 09:47:06 DEBUG:28897 Started volatile session with id: > BcCr77bFQjeOqEL+uJjJ1g== > 2019/03/14 09:47:06 DEBUG:28897 Selecting realm ca-oftp > 2019/03/14 09:47:06 DEBUG:28897 Selecting auth stack Anonymous > 2019/03/14 09:47:07 DEBUG:28897 Workflow created (ID: 4607), State: FAILURE > 2019/03/14 09:47:07 INFO:28897 RPC request was processed properly (Workflow: > 4607, State: FAILURE > 2019/03/14 09:47:07 DEBUG:28897 Keys cert_identifier, error_code > 2019/03/14 09:47:07 INFO:28897 Disconnect client > > curl request: > curl -F "method=RequestCertificate" -F "comment=Test" -F pkcs10="$(cat > csr.pem)" https://192.168.20.57/rpc -k > > curl result: > { > "result":{ > "data":{ > "error_code":"I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED" > }, > "state":"FAILURE", > "id":"4607", > "pid":28897 > } > } > > With following configuration: > default.conf: > [global] > log_config = /etc/openxpki/rpc/log.conf > log_facility = client.rpc > socket = /var/openxpki/openxpki.socket > realm = ca-oftp > > [auth] > stack = Anonymous > > [RequestCertificate] > workflow = certificate_enroll > param = pkcs10, comment > output = cert_identifier, error_code > env = signer_cert > servername = enroll > > [RevokeCertificateByIdentifier] > workflow = certificate_revocation_request_v2 > param = cert_identifier, reason_code, comment, invalidity_time > env = signer_cert, signer_dn > servername = default > output = error_code > > [RevokeCertificateByEntity] > workflow = certificate_revoke_by_entity > param = entity, reason_code, comment > env = signer_cert, signer_dn > servername = default > output = error_code > > [SearchCertificate] > workflow = certificate_search > param = common_name > output = cert_identifier, notbefore, notafter, status > > enroll.yaml: > authorized_signer: > # rule1: > # Full DN > # subject: CN=.+:scepclient,.* > # rule2: > # Full DN > # subject: CN=.+:pkiclient,.* > > # You must set at least one of both options or remove the is_policy_loaded > # condition in the workflow definition > policy: > allow_man_authen: 0 > allow_man_approv: 1 > allow_anon_enroll: 1 > approval_points: 1 > > profile: > # cert_profile: I18N_OPENXPKI_PROFILE_TLS_SERVER > # cert_subject_style: enroll > cert_profile: oftp2 > cert_subject_style: 05_advanced_styles > > eligibility: > value: 1 > > eligible: > initial: > value: 1 > renewal: > value: 1 > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
