Hi Oliver, thank you so much for this hint (obvious in retrospect). Had some trouble with my workflow afterwards but now everything works smooth.
Kind regards, Robert > Am 15.03.2019 um 07:09 schrieb Oliver Welter <[email protected]>: > > Hi Robert, > > to avoid people flushing the system with anonymous requests an > "unauthenticated" the default policy is to reject them. Simple solution, > just set "allow_man_authen: 0" to 1 - this will hold the request in > "Manual Authentication Pending" where it can be accepted via the UI. > > Other options are using an HMAC or Challenge Password - have a look at > the SCEP config file scep/scep-server-1.yaml - the backend workflow is > the same and the options are explained here in detail. > > Oliver > > > Am 14.03.19 um 10:09 schrieb Robert Pfaff: >> Hi at all, >> >> I’m currently stuck while trying to upload a CSR to OpenXPKI via RPC and let >> it signed interactive by an Operator. >> While doing this interactive using the UI and logging in as Anonymous >> everything works as expected. But with RPC I get an exception (Details >> below). >> The corresponding Workflow exists after the request and also has the correct >> CSR in context but with "State FAILURE", "Run State finished", "error_code >> Request was not authenticated“ >> Did I miss a ting as i.e. a CertificateSearch via RPC works seamlessly. Is >> this a version thing? >> >> Kind regards, >> Robert >> >> openxpkiadm version: Version (core): 1.20.2 >> >> rpc.log: >> 2019/03/14 09:47:06 INFO:28897 RPC handler initialized >> 2019/03/14 09:47:06 DEBUG:28897 Autodetect config file for service rpc: .conf >> 2019/03/14 09:47:06 DEBUG:28897 No config file found, falling back to default >> 2019/03/14 09:47:06 DEBUG:28897 calling context is https >> 2019/03/14 09:47:06 DEBUG:28897 RPC unauthenticated (no cert) >> 2019/03/14 09:47:06 DEBUG:28897 Initialize client >> 2019/03/14 09:47:06 DEBUG:28897 Started volatile session with id: >> BcCr77bFQjeOqEL+uJjJ1g== >> 2019/03/14 09:47:06 DEBUG:28897 Selecting realm ca-oftp >> 2019/03/14 09:47:06 DEBUG:28897 Selecting auth stack Anonymous >> 2019/03/14 09:47:07 DEBUG:28897 Workflow created (ID: 4607), State: FAILURE >> 2019/03/14 09:47:07 INFO:28897 RPC request was processed properly (Workflow: >> 4607, State: FAILURE >> 2019/03/14 09:47:07 DEBUG:28897 Keys cert_identifier, error_code >> 2019/03/14 09:47:07 INFO:28897 Disconnect client >> >> curl request: >> curl -F "method=RequestCertificate" -F "comment=Test" -F pkcs10="$(cat >> csr.pem)" https://192.168.20.57/rpc -k >> >> curl result: >> { >> "result":{ >> "data":{ >> "error_code":"I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED" >> }, >> "state":"FAILURE", >> "id":"4607", >> "pid":28897 >> } >> } >> >> With following configuration: >> default.conf: >> [global] >> log_config = /etc/openxpki/rpc/log.conf >> log_facility = client.rpc >> socket = /var/openxpki/openxpki.socket >> realm = ca-oftp >> >> [auth] >> stack = Anonymous >> >> [RequestCertificate] >> workflow = certificate_enroll >> param = pkcs10, comment >> output = cert_identifier, error_code >> env = signer_cert >> servername = enroll >> >> [RevokeCertificateByIdentifier] >> workflow = certificate_revocation_request_v2 >> param = cert_identifier, reason_code, comment, invalidity_time >> env = signer_cert, signer_dn >> servername = default >> output = error_code >> >> [RevokeCertificateByEntity] >> workflow = certificate_revoke_by_entity >> param = entity, reason_code, comment >> env = signer_cert, signer_dn >> servername = default >> output = error_code >> >> [SearchCertificate] >> workflow = certificate_search >> param = common_name >> output = cert_identifier, notbefore, notafter, status >> >> enroll.yaml: >> authorized_signer: >> # rule1: >> # Full DN >> # subject: CN=.+:scepclient,.* >> # rule2: >> # Full DN >> # subject: CN=.+:pkiclient,.* >> >> # You must set at least one of both options or remove the is_policy_loaded >> # condition in the workflow definition >> policy: >> allow_man_authen: 0 >> allow_man_approv: 1 >> allow_anon_enroll: 1 >> approval_points: 1 >> >> profile: >> # cert_profile: I18N_OPENXPKI_PROFILE_TLS_SERVER >> # cert_subject_style: enroll >> cert_profile: oftp2 >> cert_subject_style: 05_advanced_styles >> >> eligibility: >> value: 1 >> >> eligible: >> initial: >> value: 1 >> renewal: >> value: 1 >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
