Thank you for the answer.
I can see the pending request using the "workflow search", but I still can't
see them using the "My task view".
Here is the full config in case there is an other mistake :
- label: I18N_OPENXPKI_UI_TASKLIST_PENDING_ENROLLMENT_LABEL
description: I18N_OPENXPKI_UI_TASKLIST_PENDING_ENROLLMENT_DESCRIPTION
ifempty: hide
query:
type:
- certificate_enroll
state:
- PENDING_APPROVAL
- PENDING_MANUAL_AUTHENTICATION
- PENDING_POLICY
cols:
- label: I18N_OPENXPKI_UI_WORKFLOW_SEARCH_SERIAL_LABEL
field: WORKFLOW_SERIAL
- label: I18N_OPENXPKI_UI_WORKFLOW_SEARCH_UPDATED_LABEL
field: WORKFLOW_LAST_UPDATE
- label: I18N_OPENXPKI_UI_WORKFLOW_STATE_LABEL
field: WORKFLOW_STATE
- label: I18N_OPENXPKI_UI_CERTIFICATE_SUBJECT
field: context.cert_subject
- label: I18N_OPENXPKI_UI_WORKFLOW_FIELD_TRANSACTION_ID_LABEL
field: attribute.transaction_id
Daniel
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Le lundi 29 avril 2019 08:13, Oliver Welter <[email protected]> a écrit :
> Hi Daniel,
>
> looks like we have a mistake in the config so the SCEP workflows dont
> show up as open tasks :(
>
> You should find the pending request using the "workflow search". To fix
> the "My Task" view, open uicontrol/RA Operator.yaml and change the
> workflow type from "enrollment" to "certificate_enroll" around line 100:
>
> query:
> type:
> - certificate_enroll
>
> Trusted signer requires signature of incoming requests with a special
> enrollment certificate and here you can define what certs "match" -
> check the docs of the EvalSignerTrust Perl Module for more details.
>
> Chain validation fails as the request is self signed (thats ok) and for
> the warning on the fallback see
> https://openxpki.readthedocs.io/en/latest/subsystems/index.html#config-path-expansion
>
> Oliver
>
> Am 26.04.19 um 09:17 schrieb daniel.Jackson.fr via OpenXPKI-users:
>
> > Hi,
> > I am working on OpenXPKI for a month now. I have configured a lot of
> > things. (great job, it is quite easy !).
> > Using sscep, I can get the CA certificates. However, I can't make the
> > SCEP server work properly to generate new certificates.
> > These are the commands I use :
> >
> > - mkdir tmp
> > - ./sscep_dyn getca -c tmp/cacert -u http://localhost/scep/scep
> > - ./sscep_dyn enroll -u http://localhost/scep/scep -k
> > tmp/scep-test.key -r tmp/scep-test.csr -c tmp/cacert-0 -l
> > tmp/scep-test.crt -t 10 -n 1
> >
> >
> > I automatically get the certificate when :
> >
> > - approval_points: 0 (that proves the scep server works)
> >
> > but, when i ask a new certificate with :
> >
> > - approval_points: 1
> >
> > I am in pending state (that's normal behaviour I guess) and I (as a
> > operator) can't validate the request : it does not appear in the task
> > board. This is weird because when I use the same csr in the demo server
> > it works, I can validate it with the raop account. But in mine the
> > request does not appear. I am working locally (localhost) is this a
> > problem ?
> > I haven't modify the SCEP configuration file, the secret challenge is
> > still SecretChallenge ^^.
> > My questions are :
> >
> > - Is there some configutation to make them visible to the operator
> > task board ?
> >
> > - How does the "authorized signer works" ?
> > - What does it mean "Trusted Signer chain validation failed" ?
> > - Finally, why do I always have "No config file found, falling back to
> > default" ?
> >
> >
> > Some log informations for you :
> > catchall.log :
> > 2019/04/24 16:05:25 openxpki.application.INFO SCEP incoming request, id
> > 127D4B178FF0619A50DD7574DBCB7F3C
> > [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:25 openxpki.application.INFO SCEP try to start new
> > workflow for 127D4B178FF0619A50DD7574DBCB7F3C
> > [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.INFO Rendering subject:
> > CN=test,DC=Test Deployment,DC=OpenXPKI,DC=org
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.WARN Trusted Signer chain
> > validation FAILED
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.INFO Trusted Signer not found
> > in trust list (CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU).
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.INFO validate challenge using
> > compare validated
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.INFO Eligibility check for
> > scep.scep-server-1.eligible.initial failed
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:26 openxpki.application.INFO Trigger notification
> > message enroll_approval_pending
> > [pid=11627|sid=q2P/|wftype=certificate_enroll|wfid=1279|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:27 openxpki.application.INFO SCEP started new workflow
> > with id 1279, state PENDING
> > [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:27 openxpki.application.INFO SCEP 1279 in state
> > PENDING, send pending reply
> > [pid=11627|sid=q2P/|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request, id
> > 127D4B178FF0619A50DD7574DBCB7F3C
> > [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:38 openxpki.application.INFO SCEP incoming request,
> > found workflow 1279, state PENDING
> > [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > 2019/04/24 16:05:38 openxpki.application.INFO SCEP 1279 in state
> > PENDING, send pending reply
> > [pid=11633|sid=Cvbq|sceptid=127D4B178FF0619A50DD7574DBCB7F3C]
> > scep.log :
> > 2019/04/24 16:05:24 DEBUG:11602 Autodetect config file for service scep:
> > scep.conf
> > 2019/04/24 16:05:24 DEBUG:11602 No config file found, falling back to
> > default
> > 2019/04/24 16:05:24 INFO:11602 Incoming request from 127.0.0.1 with
> > PKIOperation
> > 2019/04/24 16:05:27 DEBUG:11602 Response send
> > 2019/04/24 16:05:37 DEBUG:11602 Autodetect config file for service scep:
> > scep.conf
> > 2019/04/24 16:05:37 DEBUG:11602 No config file found, falling back to
> > default
> > 2019/04/24 16:05:37 INFO:11602 Incoming request from 127.0.0.1 with
> > PKIOperation
> > 2019/04/24 16:05:38 DEBUG:11602 Response send
> > workflow.log :
> > 2019/04/24 16:05:26 1279 Rendering subject: CN=test,DC=Test
> > Deployment,DC=OpenXPKI,DC=org
> > 2019/04/24 16:05:26 1279 Trusted Signer chain validation FAILED
> > 2019/04/24 16:05:26 1279 Trusted Signer not found in trust list
> > (CN=test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU).
> > 2019/04/24 16:05:26 1279 validate challenge using compare validated
> > 2019/04/24 16:05:26 1279 Eligibility check for
> > scep.scep-server-1.eligible.initial failed
> > 2019/04/24 16:05:26 1279 Trigger notification message
> > enroll_approval_pending
> > Thank you for your time,
> > Daniel
> >
> > OpenXPKI-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
>
> Protect your environment - close windows and adopt a penguin!
>
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
