Hello all,
think I have found the issue.
Checking logfiles I got the following errors:
ERROR
I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CRL_KEYFILE_DOES_NOT_EXIST;
__KEYFILE__ => /etc/openxpki/ca/example-corp/ca-signer-1.pem
system.crypto.ERROR OpenSSL error: Error opening signing key file
/etc/openxpki/ca/example-corp/vault-1.pem
After creating corresponding symlinks the errors were gone.
Never the less in my other test environment there do no symlinks like these
exist, too.
(And everythings working fine with same release version...)
Only previous symlinks named:
/etc/openxpki/ssl/<realm>/<realm>-signer-1.pem
/etc/openxpki/ssl/<realm>/<realm>-vault-1.pem
/etc/openxpki/ssl/<realm>/<realm>-scep-1.pem
So maybe that is something I have missed within release notes and that were
"fixed" automagic when upgrade took place from older version/ no new
install.
Never the less you can see that there was a third symlink for "scep".
I have not found an error message accordingly, but expecting my scep will
not work, too.
Is that correct? If yes where do I have to create the symlink for scep/how
is it named?
Thanks for support.
Am Fr., 16. Aug. 2019 um 18:10 Uhr schrieb Martin Krämer <
[email protected]>:
> Hello all,
>
> I have just setup a new openxpki test environment using certificates
> already existing on another (not connected / reachable) openxpki test
> environment.
> Unfortunately the web interface system status shows me that
> ca-signer-1 (certsign) and vault-1 (datasafe) are both offline.
> Additionally I see the message "CRL expired - update required!!
> (What I think is a following error of previous two tokens being offline.)
>
> I have checked the forum and found that this is mostly caused by:
> 1. invalid key password within crypto.yaml
> 2. invalid permissions to .crt / .key files.
>
> So I checked both and found that 1. is correct.
> With 2. I am not exactly sure what are the correct permissions.
> Maybe someone can help me on this? (see my current permissions below).
>
> My system is:
> OS: Debian Jessie 8.11
> openxpki system version: 2.5.5
> openxpki package: debian-2.4
> openxpki config: 2.4
> openxpki commit: 0abcde
>
> Currently permissions are set as follows:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *root@openxpki-000001:~# ls -la /etc/openxpki/ssl/example-corp/ total
> 116drwxr-x--- 3 openxpki root 4096 Aug 16 10:18 .drwxr-x--- 3 openxpki root
> 4096 Aug 16 10:13 ..-rwxr-x--- 1 openxpki root 2037 Aug 16 10:13
> example-corp_2019-04_DataVault.crt-rwxr-x--- 1 openxpki root 3394 Aug 16
> 10:13 example-corp_2019-04_DataVault.key-rwxr-x--- 1 openxpki root 8731 Aug
> 16 10:13 example-corp_2019-04_Issuing-CA.crt-rwxr-x--- 1 openxpki root 1773
> Aug 16 10:13 example-corp_2019-04_Issuing-CA.csr-rwxr-x--- 1 openxpki root
> 3406 Aug 16 10:13 example-corp_2019-04_Issuing-CA.key-rwxr-x--- 1 openxpki
> root 2013 Aug 16 10:13 example-corp_2019-04_Root-CA.crt-rwxr-x--- 1
> openxpki root 3394 Aug 16 10:13 example-corp_2019-04_Root-CA.key-rwxr-x---
> 1 openxpki root 6847 Aug 16 10:13
> example-corp_2019-04_Scep-RA.crt-rwxr-x--- 1 openxpki root 1752 Aug 16
> 10:13 example-corp_2019-04_Scep-RA.csr-rwxr-x--- 1 openxpki root 3394 Aug
> 16 10:13 example-corp_2019-04_Scep-RA.key-rwxr-x--- 1 openxpki root 8578
> Aug 16 10:13 example-corp_2019-04_Web.crt-rwxr-x--- 1 openxpki root 1744
> Aug 16 10:13 example-corp_2019-04_Web.csr-rwxr-x--- 1 openxpki root 3394
> Aug 16 10:13 example-corp_2019-04_Web.keylrwxrwxrwx 1 root root 63
> Aug 16 10:18 example-corp-scep-1.pem ->
> /etc/openxpki/ssl/example-corp/example-corp_2019-04_Scep-RA.keylrwxrwxrwx 1
> root root 66 Aug 16 10:18 example-corp-signer-1.pem ->
> /etc/openxpki/ssl/example-corp/example-corp_2019-04_Issuing-CA.keylrwxrwxrwx
> 1 root root 65 Aug 16 10:18 example-corp-vault-1.pem ->
> /etc/openxpki/ssl/example-corp/example-corp_2019-04_DataVault.keydrwxr-x---
> 2 openxpki root 4096 Aug 16 10:13 .openssl*
>
> *root@openxpki-000001:~# ls -la
> /etc/openxpki/config.d/realm/example-corp/crypto.yaml -r-------- 1 openxpki
> root 1553 Aug 16 15:52
> /etc/openxpki/config.d/realm/example-corp/crypto.yaml*
>
> Thanks for any help.
>
> Kind Regards
> Martin
>
>
>
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
