Hi Daniel, looks like we have a mistake in the config so the SCEP workflows dont show up as open tasks :(
You should find the pending request using the "workflow search". To fix
the "My Task" view, open uicontrol/RA Operator.yaml and change the
workflow type from "enrollment" to "certificate_enroll" around line 100:
query:
type:
- certificate_enroll
Trusted signer requires signature of incoming requests with a special
enrollment certificate and here you can define what certs "match" -
check the docs of the EvalSignerTrust Perl Module for more details.
Chain validation fails as the request is self signed (thats ok) and for
the warning on the fallback see
https://openxpki.readthedocs.io/en/latest/subsystems/index.html#config-path-expansion
Oliver
Am 26.04.19 um 09:17 schrieb daniel.Jackson.fr via OpenXPKI-users:
> Hi,
>
> I am working on OpenXPKI for a month now. I have configured a lot of
> things. (great job, it is quite easy !).
> Using sscep, I can get the CA certificates. However, I can't make the
> SCEP server work properly to generate new certificates.
>
> These are the commands I use :
>
> * mkdir tmp
> * ./sscep_dyn getca -c tmp/cacert -u http://localhost/scep/scep
> * ./sscep_dyn enroll -u http://localhost/scep/scep -k
> tmp/scep-test.key -r tmp/scep-test.csr -c tmp/cacert-0 -l
> tmp/scep-test.crt -t 10 -n 1
>
>
> I automatically get the certificate when :
>
> * approval_points: 0 (that proves the scep server works)
>
> but, when i ask a new certificate with :
>
> * approval_points: 1
>
> I am in pending state (that's normal behaviour I guess) and I (as a
> operator) can't validate the request : it does not appear in the task
> board. This is weird because when I use the same csr in the demo server
> it works, I can validate it with the raop account. But in mine the
> request does not appear. I am working locally (localhost) is this a
> problem ?
>
> I haven't modify the SCEP configuration file, the secret challenge is
> still SecretChallenge ^^.
>
> My questions are :
>
> * Is there some configutation to make them visible to the operator
> task board ?
> * How does the "authorized signer works" ?
> * What does it mean "Trusted Signer chain validation failed" ?
> * Finally, why do I always have "No config file found, falling back to
> default" ?
>
>
> Some log informations for you :
>
> *catchall.log :*
> 2019/04/24 16:05:25 openxpki.application.INFO SCEP incoming request, id
> 127D4B178FF0619A50DD7574DBCB7F3C
> [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:25 openxpki.application.INFO SCEP try to start new
> workflow for 127D4B178FF0619A50DD7574DBCB7F3C
> [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.INFO Rendering subject:
> CN=test,DC=Test Deployment,DC=OpenXPKI,DC=org
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.WARN Trusted Signer chain
> validation FAILED
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.INFO Trusted Signer not found
> in trust list (CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU).
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.INFO validate challenge using
> compare validated
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.INFO Eligibility check for
> scep.scep-server-1.eligible.initial failed
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:26 openxpki.application.INFO Trigger notification
> message enroll_approval_pending
> [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:27 openxpki.application.INFO SCEP started new workflow
> with id 1279, state PENDING
> [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:27 openxpki.application.INFO SCEP 1279 in state
> PENDING, send pending reply
> [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request, id
> 127D4B178FF0619A50DD7574DBCB7F3C
> [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request,
> found workflow 1279, state PENDING
> [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> 2019/04/24 16:05:38 openxpki.application.INFO SCEP 1279 in state
> PENDING, send pending reply
> [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
>
>
> *scep.log :*
> 2019/04/24 16:05:24 DEBUG:11602 Autodetect config file for service scep:
> scep.conf
> 2019/04/24 16:05:24 DEBUG:11602 No config file found, falling back to
> default
> 2019/04/24 16:05:24 INFO:11602 Incoming request from 127.0.0.1 with
> PKIOperation
> 2019/04/24 16:05:27 DEBUG:11602 Response send
> 2019/04/24 16:05:37 DEBUG:11602 Autodetect config file for service scep:
> scep.conf
> 2019/04/24 16:05:37 DEBUG:11602 No config file found, falling back to
> default
> 2019/04/24 16:05:37 INFO:11602 Incoming request from 127.0.0.1 with
> PKIOperation
> 2019/04/24 16:05:38 DEBUG:11602 Response send
>
> *workflow.log :*
> 2019/04/24 16:05:26 1279 Rendering subject: CN=test,DC=Test
> Deployment,DC=OpenXPKI,DC=org
> 2019/04/24 16:05:26 1279 Trusted Signer chain validation FAILED
> 2019/04/24 16:05:26 1279 Trusted Signer not found in trust list
> (CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU).
> 2019/04/24 16:05:26 1279 validate challenge using compare validated
> 2019/04/24 16:05:26 1279 Eligibility check for
> scep.scep-server-1.eligible.initial failed
> 2019/04/24 16:05:26 1279 Trigger notification message
> enroll_approval_pending
>
> Thank you for your time,
>
> Daniel
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
