[OpenXPKI-users] Can't validate SCEP request

daniel.Jackson.fr via OpenXPKI-users Fri, 26 Apr 2019 00:19:02 -0700

Hi,

I am working on OpenXPKI for a month now. I have configured a lot of things. 
(great job, it is quite easy !).
Using sscep, I can get the CA certificates. However, I can't make the SCEP 
server work properly to generate new certificates.


These are the commands I use :

- mkdir tmp
- ./sscep_dyn getca -c tmp/cacert -u http://localhost/scep/scep

- ./sscep_dyn enroll -u http://localhost/scep/scep -k tmp/scep-test.key -r 
tmp/scep-test.csr -c tmp/cacert-0 -l tmp/scep-test.crt -t 10 -n 1

I automatically get the certificate when :

- approval_points: 0 (that proves the scep server works)

but, when i ask a new certificate with :

- approval_points: 1

I am in pending state (that's normal behaviour I guess) and I (as a operator) 
can't validate the request : it does not appear in the task board. This is 
weird because when I use the same csr in the demo server it works, I can 
validate it with the raop account. But in mine the request does not appear. I 
am working locally (localhost) is this a problem ?

I haven't modify the SCEP configuration file, the secret challenge is still 
SecretChallenge ^^.

My questions are :

- Is there some configutation to make them visible to the operator task board ?
- How does the "authorized signer works" ?
- What does it mean "Trusted Signer chain validation failed" ?
- Finally, why do I always have "No config file found, falling back to default" 
?

Some log informations for you :

catchall.log :
2019/04/24 16:05:25 openxpki.application.INFO SCEP incoming request, id 
127D4B178FF0619A50DD7574DBCB7F3C 
[pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:25 openxpki.application.INFO SCEP try to start new workflow 
for 127D4B178FF0619A50DD7574DBCB7F3C 
[pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.INFO Rendering subject: 
CN=test,DC=Test Deployment,DC=OpenXPKI,DC=org 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.WARN Trusted Signer chain validation 
FAILED 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.INFO Trusted Signer not found in trust 
list (CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU). 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.INFO validate challenge using compare 
validated 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.INFO Eligibility check for 
scep.scep-server-1.eligible.initial failed 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:26 openxpki.application.INFO Trigger notification message 
enroll_approval_pending 
[pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:27 openxpki.application.INFO SCEP started new workflow with id 
1279, state PENDING 
[pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:27 openxpki.application.INFO SCEP 1279 in state PENDING, send 
pending reply [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request, id 
127D4B178FF0619A50DD7574DBCB7F3C 
[pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request, found 
workflow 1279, state PENDING 
[pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
2019/04/24 16:05:38 openxpki.application.INFO SCEP 1279 in state PENDING, send 
pending reply [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]

scep.log :
2019/04/24 16:05:24 DEBUG:11602 Autodetect config file for service scep: 
scep.conf
2019/04/24 16:05:24 DEBUG:11602 No config file found, falling back to default
2019/04/24 16:05:24 INFO:11602 Incoming request from 127.0.0.1 with PKIOperation
2019/04/24 16:05:27 DEBUG:11602 Response send
2019/04/24 16:05:37 DEBUG:11602 Autodetect config file for service scep: 
scep.conf
2019/04/24 16:05:37 DEBUG:11602 No config file found, falling back to default
2019/04/24 16:05:37 INFO:11602 Incoming request from 127.0.0.1 with PKIOperation
2019/04/24 16:05:38 DEBUG:11602 Response send

workflow.log :
2019/04/24 16:05:26 1279 Rendering subject: CN=test,DC=Test 
Deployment,DC=OpenXPKI,DC=org
2019/04/24 16:05:26 1279 Trusted Signer chain validation FAILED
2019/04/24 16:05:26 1279 Trusted Signer not found in trust list 
(CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU).
2019/04/24 16:05:26 1279 validate challenge using compare validated
2019/04/24 16:05:26 1279 Eligibility check for 
scep.scep-server-1.eligible.initial failed
2019/04/24 16:05:26 1279 Trigger notification message enroll_approval_pending

Thank you for your time,

Daniel

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Can't validate SCEP request

Reply via email to