Hi, I am trying to setup OpenXPKI as an EST Server for a project.
I have an instance of OpenXPKI running using the Docker Compose https://github.com/openxpki/openxpki-docker, that can correctly issue certificates using the WebUI. It also correctly returns the Root Certificate Authority when the EST `/cacerts` endpoint is used, thanks to Oliver Welter for their help getting that working by changing the file permissions of the log directory. However when I try to request a certificate using the `/simpleenroll` endpoint and TLS Authentication, the EST server returns an HTTP 500 - Internal Server Error response. In the logs the only information is that an exceptions has been raised but not what has caused it. This is the request I am sending: curl https://<hostname>/.well-known/est/simpleenroll --cacert ./OpenXPKI_Root_CA.crt --key pkiclient.key --cert client.crt --data-binary @req.p10 -H "Content-Type: application/pkcs10" -o cert.p7 And the debug log from EST, with confidential information removed “<example>”: 2019/12/20 11:55:06 DEBUG:177 Incoming request /.well-known/est/simpleenroll 2019/12/20 11:55:06 DEBUG:177 calling context is https 2019/12/20 11:55:06 INFO:177 EST authenticated client DN: CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org 2019/12/20 11:55:06 DEBUG:177 Initialize client 2019/12/20 11:55:06 DEBUG:177 Started volatile session with id: OXgmVXKLS+SV//PCKZuRig== 2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System 2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED 2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = { 'workflow' => { 'label' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'state' => 'PARSED', 'reap_at' => 1576843209, 'title' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'proc_state' => 'exception', 'type' => 'certificate_enroll', 'last_update' => '2019-12-20T11:55:10', 'context' => { 'req_extensions' => {}, 'csr_subject' => 'emailAddress=d...@d.com,CN=d.d.c,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU', 'workflow_id' => '9215', 'signer_cert' => '-----BEGIN CERTIFICATE----- <example> -----END CERTIFICATE----- ', 'cert_info' => '', 'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272', 'server' => 'default', 'cert_subject_alt_name' => '', 'csr_digest_alg' => 'sha256', 'req_attributes' => {}, 'wf_current_action' => 'enroll_render_subject', 'csr_key_params' => { 'key_length' => 256, 'curve_name' => 'secp256r1' }, 'creator' => 'anonymous', 'cert_san_parts' => '', 'interface' => 'est', 'wf_exception' => 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE', 'csr_key_alg' => 'ec', 'csr_subject_key_identifier' => '7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43', 'cert_subject_parts' => 'OXJSF1:{"EMAILADDRESS":["d...@d.com"],"CN":["d.d.c"],"C":["AU"],"O":["Internet Widgits Pty Ltd"],"ST":["Some-State"]}', 'sources' => 'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}', 'pkcs10' => '-----BEGIN CERTIFICATE REQUEST----- <example> -----END CERTIFICATE REQUEST----- ' }, 'description' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC', 'wake_up_at' => undef, 'count_try' => 0, 'id' => 9215 } }; 2019/12/20 11:55:11 INFO:177 Started new workflow 9215 2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = { 'signer_cert' => '-----BEGIN CERTIFICATE----- <example> -----END CERTIFICATE----- ', 'pkcs10' => '-----BEGIN CERTIFICATE REQUEST----- <example> -----END CERTIFICATE REQUEST----- ', 'server' => 'default', 'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272', 'interface' => 'est' }; 2019/12/20 11:55:11 ERROR:177 Internal Server Error 2019/12/20 11:55:11 INFO:177 Disconnect client When this CSR is submitted using the OpenXPKI WebUI the request is successfully, after entering the required requester information in the interface. Any help in working out why this request is failing would be much appreciated. Is there anything I need to configure to control who is authorised to issue certificates using the EST endpoint? Also is there any support for the `/simplerenroll` endpoint in OpenXPKI? This endpoint returns even less debug when called: 2019/12/20 12:04:13 DEBUG:177 Incoming request /.well-known/est/simplereenroll 2019/12/20 12:04:13 DEBUG:177 calling context is https 2019/12/20 12:04:13 INFO:177 EST authenticated client DN: CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org 2019/12/20 12:04:13 TRACE:177 2019/12/20 12:04:13 INFO:177 Disconnect client 2019/12/20 12:04:13 DEBUG:177 Initialize client 2019/12/20 12:04:13 DEBUG:177 Started volatile session with id: nLpBtGmFSzy5Yt+91ryfkA== 2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
