Re: [OpenXPKI-users] EST Server Support

Oliver Welter Fri, 20 Dec 2019 09:29:17 -0800

Hi James,

I am sorry it looks like we missed to complete the sample configs forthe workflows :(

The workflow needs a configuration file which is loaded from <interfacename>.<servername> which is "est.default" in your case. Create a copy ofrpc/enroll.yaml to est/default.yaml and adjust the settings as needed.You will also be able to configure the authorization for the TLS signershere.


best regards

Oliver

Am 20.12.19 um 13:07 schrieb James Gibson:


Hi,

I am trying to setup OpenXPKI as an EST Server for a project.

I have an instance of OpenXPKI running using the Docker Compose 
https://github.com/openxpki/openxpki-docker, that can correctly issue 
certificates using the WebUI.
It also correctly returns the Root Certificate Authority when the EST 
`/cacerts` endpoint is used, thanks to Oliver Welter for their help getting 
that working by changing the file permissions of the log directory.

However when I try to request a certificate using the `/simpleenroll` endpoint 
and TLS Authentication, the EST server returns an HTTP 500 - Internal Server 
Error response. In the logs the only information is that an exceptions has been 
raised but not what has caused it.

This is the request I am sending:
curl https://<hostname>/.well-known/est/simpleenroll --cacert ./OpenXPKI_Root_CA.crt 
--key pkiclient.key --cert client.crt --data-binary @req.p10 -H "Content-Type: 
application/pkcs10" -o cert.p7

And the debug log from EST, with confidential information removed “<example>”:
2019/12/20 11:55:06 DEBUG:177 Incoming request /.well-known/est/simpleenroll
2019/12/20 11:55:06 DEBUG:177 calling context is https
2019/12/20 11:55:06 INFO:177 EST authenticated client DN: 
CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 11:55:06 DEBUG:177 Initialize client
2019/12/20 11:55:06 DEBUG:177 Started volatile session with id: 
OXgmVXKLS+SV//PCKZuRig==
2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System
2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED
2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = {
           'workflow' => {
                           'label' => 
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
                           'state' => 'PARSED',
                           'reap_at' => 1576843209,
                           'title' => 
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
                           'proc_state' => 'exception',
                           'type' => 'certificate_enroll',
                           'last_update' => '2019-12-20T11:55:10',
                           'context' => {
                                          'req_extensions' => {},
                                          'csr_subject' => 
'emailAddress=d...@d.com,CN=d.d.c,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU',
                                          'workflow_id' => '9215',
                                          'signer_cert' => '-----BEGIN 
CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
                                          'cert_info' => '',
                                          'transaction_id' => 
'e2034e3aff35d8b893e497e354d51b2551de2272',
                                          'server' => 'default',
                                          'cert_subject_alt_name' => '',
                                          'csr_digest_alg' => 'sha256',
                                          'req_attributes' => {},
                                          'wf_current_action' => 
'enroll_render_subject',
                                          'csr_key_params' => {
                                                                'key_length' => 
256,
                                                                'curve_name' => 
'secp256r1'
                                                              },
                                          'creator' => 'anonymous',
                                          'cert_san_parts' => '',
                                          'interface' => 'est',
                                          'wf_exception' => 
'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE',
                                          'csr_key_alg' => 'ec',
                                          'csr_subject_key_identifier' => 
'7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43',
                                          'cert_subject_parts' => 
'OXJSF1:{"EMAILADDRESS":["d...@d.com"],"CN":["d.d.c"],"C":["AU"],"O":["Internet Widgits Pty 
Ltd"],"ST":["Some-State"]}',
                                          'sources' => 
'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}',
                                          'pkcs10' => '-----BEGIN CERTIFICATE 
REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
'
                                        },
                           'description' => 
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC',
                           'wake_up_at' => undef,
                           'count_try' => 0,
                           'id' => 9215
                         }
         };
2019/12/20 11:55:11 INFO:177 Started new workflow 9215
2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = {
           'signer_cert' => '-----BEGIN CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
           'pkcs10' => '-----BEGIN CERTIFICATE REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
',
           'server' => 'default',
           'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272',
           'interface' => 'est'
         };
2019/12/20 11:55:11 ERROR:177 Internal Server Error
2019/12/20 11:55:11 INFO:177 Disconnect client


When this CSR is submitted using the OpenXPKI WebUI the request is 
successfully, after entering the required requester information in the 
interface.

Any help in working out why this request is failing would be much appreciated.
Is there anything I need to configure to control who is authorised to issue 
certificates using the EST endpoint?

Also is there any support for the `/simplerenroll` endpoint in OpenXPKI? This 
endpoint returns even less debug when called:
2019/12/20 12:04:13 DEBUG:177 Incoming request /.well-known/est/simplereenroll
2019/12/20 12:04:13 DEBUG:177 calling context is https
2019/12/20 12:04:13 INFO:177 EST authenticated client DN: 
CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 12:04:13 TRACE:177
2019/12/20 12:04:13 INFO:177 Disconnect client
2019/12/20 12:04:13 DEBUG:177 Initialize client
2019/12/20 12:04:13 DEBUG:177 Started volatile session with id: 
nLpBtGmFSzy5Yt+91ryfkA==
2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System







_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] EST Server Support

Reply via email to