[OpenXPKI-users] EST - COLLECT_TIMEOUT on every first attempt

Wed, 22 Apr 2020 06:08:15 -0700 

Hi people,

every first attempt to ask OpenXPKI to sign a cert via EST I get a
"Internal Server Error" and est.log shows this:

2020/04/22 11:01:52 DEBUG:82 Incoming request /.well-known/est/simpleenroll
2020/04/22 11:01:52 DEBUG:82 calling context is https
2020/04/22 11:01:52 INFO:82 EST authenticated client DN:
CN=mar:pkiclient,O=MyOrg
2020/04/22 11:01:52 DEBUG:82 Initialize client
2020/04/22 11:01:53 DEBUG:82 Started volatile session with id:
IHuKcV75QJOOFxviXrVFfA==
2020/04/22 11:01:53 DEBUG:82 Selecting auth stack _System
2020/04/22 11:02:24 INFO:82 Started new workflow
2020/04/22 11:02:24 ERROR:82 I18N_OPENXPKI_CLIENT_COLLECT_TIMEOUT
2020/04/22 11:02:24 INFO:82 Disconnect client

Notice: a lag of about 30 secs between "Selecting auth stack _System" and
"Started new workflow"

Then I send the same request and I get the cert as expected with this in
est.log

2020/04/22 11:06:45 DEBUG:83 Config for service est loaded
2020/04/22 11:06:45 INFO:83 EST handler initialized
2020/04/22 11:06:45 DEBUG:83 Incoming request /.well-known/est/simpleenroll
2020/04/22 11:06:45 DEBUG:83 calling context is https
2020/04/22 11:06:45 INFO:83 EST authenticated client DN:
CN=mar:pkiclient,O=MyOrg
2020/04/22 11:06:45 DEBUG:83 Initialize client
2020/04/22 11:06:45 DEBUG:83 Started volatile session with id:
irR/wxjJRZ2DJRVHolXs6g==
2020/04/22 11:06:45 DEBUG:83 Selecting auth stack _System
2020/04/22 11:06:45 INFO:83 Found workflow - reload 20735
2020/04/22 11:06:45 DEBUG:83 request for workflow info on 20735
2020/04/22 11:06:45 DEBUG:83 Sending cert TNQt2_XXwwn7pXHrykj9Gb09_Ys
2020/04/22 11:06:45 INFO:83 Disconnect client

This is my default.yaml in config.d/realm/myorg/est

label: Enrollment

authorized_signer:
    rule1:
        # Full DN
        subject: CN=.+:scepclient,.*
    rule2:
        # Full DN
        subject: CN=.+:pkiclient,.*

renewal_period: 000060

# You must set at least one of both options or remove the is_policy_loaded
# condition in the workflow definition
policy:
    allow_man_authen: 0
    allow_man_approv: 0
    max_active_certs: 0
    auto_revoke_existing_certs: 1
    approval_points: 1
    export_certificate: chain

profile:
    cert_profile: tls_server
    cert_subject_style: enroll


eligible:
    initial:
        value: 1

    renewal:
        value: 1

    onbehalf:
       value: 1

Adding "-connect-timeout 60" or "--max-time 60" or both didn't help at all.

Regards,
Jeff

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to