Hi Martin,
we have changed the default path to the key files from ssl/ to ca/ - as
this wont affect existing installs as long as you keep the old
configuration we did not mention that explicitly in the release notes.
You can find the path spec for the keys in the realms crypto.yaml, so
please review whats in there now and put your key files (or symlinks)
accordingly.
Our policy is to keep unmodified config working within the same major
version but there might be changes to improve things in between that
will break existing installs when you just upgrade your config, so its
advised to use e.g. git and review the changes. You might have a look at
the openxpki-config repo, we try to make the changed in the config
transparent here to easy this process.
best regards
Oliver
Am 17.08.19 um 09:49 schrieb Martin Krämer:
Hello all,
think I have found the issue.
Checking logfiles I got the following errors:
ERROR
I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CRL_KEYFILE_DOES_NOT_EXIST;
__KEYFILE__ => /etc/openxpki/ca/example-corp/ca-signer-1.pem
system.crypto.ERROR OpenSSL error: Error opening signing key file
/etc/openxpki/ca/example-corp/vault-1.pem
After creating corresponding symlinks the errors were gone.
Never the less in my other test environment there do no symlinks like
these exist, too.
(And everythings working fine with same release version...)
Only previous symlinks named:
/etc/openxpki/ssl/<realm>/<realm>-signer-1.pem
/etc/openxpki/ssl/<realm>/<realm>-vault-1.pem
/etc/openxpki/ssl/<realm>/<realm>-scep-1.pem
So maybe that is something I have missed within release notes and that
were "fixed" automagic when upgrade took place from older version/ no
new install.
Never the less you can see that there was a third symlink for "scep".
I have not found an error message accordingly, but expecting my scep
will not work, too.
Is that correct? If yes where do I have to create the symlink for
scep/how is it named?
Thanks for support.
Am Fr., 16. Aug. 2019 um 18:10 Uhr schrieb Martin Krämer
<[email protected] <mailto:[email protected]>>:
Hello all,
I have just setup a new openxpki test environment using certificates
already existing on another (not connected / reachable) openxpki
test environment.
Unfortunately the web interface system status shows me that
ca-signer-1 (certsign) and vault-1 (datasafe) are both offline.
Additionally I see the message "CRL expired - update required!!
(What I think is a following error of previous two tokens being
offline.)
I have checked the forum and found that this is mostly caused by:
1. invalid key password within crypto.yaml
2. invalid permissions to .crt / .key files.
So I checked both and found that 1. is correct.
With 2. I am not exactly sure what are the correct permissions.
Maybe someone can help me on this? (see my current permissions below).
My system is:
OS: Debian Jessie 8.11
openxpki system version: 2.5.5
openxpki package: debian-2.4
openxpki config: 2.4
openxpki commit: 0abcde
Currently permissions are set as follows:
/root@openxpki-000001:~# ls -la /etc/openxpki/ssl/example-corp/
total 116
drwxr-x--- 3 openxpki root 4096 Aug 16 10:18 .
drwxr-x--- 3 openxpki root 4096 Aug 16 10:13 ..
-rwxr-x--- 1 openxpki root 2037 Aug 16 10:13
example-corp_2019-04_DataVault.crt
-rwxr-x--- 1 openxpki root 3394 Aug 16 10:13
example-corp_2019-04_DataVault.key
-rwxr-x--- 1 openxpki root 8731 Aug 16 10:13
example-corp_2019-04_Issuing-CA.crt
-rwxr-x--- 1 openxpki root 1773 Aug 16 10:13
example-corp_2019-04_Issuing-CA.csr
-rwxr-x--- 1 openxpki root 3406 Aug 16 10:13
example-corp_2019-04_Issuing-CA.key
-rwxr-x--- 1 openxpki root 2013 Aug 16 10:13
example-corp_2019-04_Root-CA.crt
-rwxr-x--- 1 openxpki root 3394 Aug 16 10:13
example-corp_2019-04_Root-CA.key
-rwxr-x--- 1 openxpki root 6847 Aug 16 10:13
example-corp_2019-04_Scep-RA.crt
-rwxr-x--- 1 openxpki root 1752 Aug 16 10:13
example-corp_2019-04_Scep-RA.csr
-rwxr-x--- 1 openxpki root 3394 Aug 16 10:13
example-corp_2019-04_Scep-RA.key
-rwxr-x--- 1 openxpki root 8578 Aug 16 10:13
example-corp_2019-04_Web.crt
-rwxr-x--- 1 openxpki root 1744 Aug 16 10:13
example-corp_2019-04_Web.csr
-rwxr-x--- 1 openxpki root 3394 Aug 16 10:13
example-corp_2019-04_Web.key
lrwxrwxrwx 1 root root 63 Aug 16 10:18 example-corp-scep-1.pem
-> /etc/openxpki/ssl/example-corp/example-corp_2019-04_Scep-RA.key
lrwxrwxrwx 1 root root 66 Aug 16 10:18
example-corp-signer-1.pem ->
/etc/openxpki/ssl/example-corp/example-corp_2019-04_Issuing-CA.key
lrwxrwxrwx 1 root root 65 Aug 16 10:18
example-corp-vault-1.pem ->
/etc/openxpki/ssl/example-corp/example-corp_2019-04_DataVault.key
drwxr-x--- 2 openxpki root 4096 Aug 16 10:13 .openssl/
/root@openxpki-000001:~# ls -la
/etc/openxpki/config.d/realm/example-corp/crypto.yaml
-r-------- 1 openxpki root 1553 Aug 16 15:52
/etc/openxpki/config.d/realm/example-corp/crypto.yaml/
Thanks for any help.
Kind Regards
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
