[OpenXPKI-users] Active Encryption Token not available (vault-1) / unable to load signing key file

Fri, 05 Jun 2020 09:29:38 -0700 

Hi,
I've just set up my own CA and installed OpenXPKI 3.4.0 on Debian 10. But I have warnings on the homepage, a "backend error" when validating a cert request and another error "unable to load signing key file" in openxpki.log. Any idea ? 


WebUI :

Your system status is critical!

No CRL found! (that's true)

Active Encryption Token not available (vault-1)

System Version 3.4.0
Hostname openxpki
Config Version api 3.2 commit 0e4104 config 3.2

Tokens of type certsign

Token Alias Certificate Identifier Token Status not before  not after
ca-signer-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx OFFLINE 2020-06-05 11:19:23 UTC 2022-06-05 11:19:23 UTC 

Tokens of type datasafe

Token Alias Certificate Identifier Token Status not before not after
vault-1 yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy OFFLINE 2020-06-05 10:20:01 UTC  2030-06-08 10:20:01 UTC 

And it can't generate any cert (backend communication error)


This is the content of the openxpki.log
2020/06/05 17:08:41 ERROR OpenSSL error: 139975404565632:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: 

unable to load signing key file
139975404565632:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
139975404565632:error:0E07606D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1
139975404565632:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139975404565632:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
139975404565632:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
139975404565632:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: 

[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR OpenSSL error: 140605842875520:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: 

unable to load signing key file
140605842875520:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
140605842875520:error:0E07606D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1
140605842875520:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
140605842875520:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
140605842875520:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
140605842875520:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: 

[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR OpenSSL error: 139968748442752:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: 

unable to load signing key file
139968748442752:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
139968748442752:error:0E07606D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1
139968748442752:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139968748442752:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
139968748442752:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
139968748442752:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: 

[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] 

This the content of my realm directory

root@openxpki:/etc/openxpki/ca# ls -lsrtd myownrealm/*
0 lrwxrwxrwx 1 root root       42 mai   18 15:17 myownrealm/scep-1.pem -> /etc/openxpki/ca/myownrealm/MYCOMPANY_SCEP_RA.key
0 lrwxrwxrwx 1 root root       45 mai   18 15:17 myownrealm/ca-signer-1.pem -> /etc/openxpki/ca/myownrealm/MYCOMPANY_Issuing_CA.key
4 -r--r--r-- 1 root openxpki 1192 juin   5 12:13 myownrealm/MYCOMPANY_Root_CA.crt
4 -r--r----- 1 root openxpki 1766 juin   5 12:13 myownrealm/MYCOMPANY_Root_CA.key
4 -r--r----- 1 root openxpki   19 juin   5 12:19 myownrealm/MYCOMPANY_Issuing_CA.pass
4 -r--r----- 1 root openxpki 3414 juin   5 12:20 myownrealm/MYCOMPANY_Issuing_CA.key
4 -rw-r--r-- 1 root root     1752 juin 5 12:20 myownrealm/MYCOMPANY_Issuing_CA.csr
4 -r--r----- 1 root openxpki   19 juin   5 12:20 myownrealm/MYCOMPANY_DataVault.pass
4 -r--r----- 1 root openxpki 3422 juin   5 12:20 myownrealm/MYCOMPANY_DataVault.key
4 -r--r----- 1 root openxpki   19 juin   5 12:20 myownrealm/MYCOMPANY_SCEP_RA.pass
4 -r--r--r-- 1 root openxpki 1870 juin   5 12:20 myownrealm/MYCOMPANY_DataVault.crt
4 -r--r----- 1 root openxpki 3422 juin   5 12:20 myownrealm/MYCOMPANY_SCEP_RA.key
4 -rw-r--r-- 1 root root     1671 juin 5 12:20 myownrealm/MYCOMPANY_SCEP_RA.csr
4 -r--r----- 1 root openxpki   19 juin   5 12:20 myownrealm/MYCOMPANY_WebUI.pass
4 -rw-r--r-- 1 root root     1724 juin 5 12:20 myownrealm/MYCOMPANY_WebUI.csr
4 -r--r----- 1 root root     3414 juin 5 12:32 myownrealm/MYCOMPANY_WebUI.key.bak
4 -r--r----- 1 root openxpki 3243 juin   5 12:33 myownrealm/MYCOMPANY_WebUI.key
4 -rw-r--r-- 1 root root     1346 juin 5 12:33 myownrealm/MYCOMPANY_WebUI.crt
4 -rw-r--r-- 1 root root       41 juin   5 13:19 myownrealm/MYCOMPANY_Root_CA.srl
4 -rw-r--r-- 1 root root     1424 juin 5 13:19 myownrealm/MYCOMPANY_Issuing_CA.crt
0 lrwxrwxrwx 1 root root       44 juin   5 13:32 myownrealm/vault-1.pem -> /etc/openxpki/ca/myownrealm/MYCOMPANY_DataVault.key
4 -rw-r--r-- 1 root root       33 juin   5 16:49 myownrealm/MYCOMPANY_Root_CA.pass 


This is my realm conf file (crypto.yaml) :

#Sample Mockup Config for Token config of a single realm

# The left side are fixed aliases used in the code, the right side

# are aribtrary chosen names, referencing the tokens below.

type:

  certsign: ca-signer

  datasafe: vault

  scep: scep

# The actual token setup, based on current token.xml

token:

  default:

    backend: OpenXPKI::Crypto::Backend::OpenSSL

    # Template to create key, available vars are

    # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)

    key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem

    # possible values are OpenSSL, nCipher, LunaCA

    engine: OpenSSL

    engine_section: ''

    engine_usage: ''

    key_store: OPENXPKI

    # OpenSSL binary location

    shell: /usr/bin/openssl

    # OpenSSL binary call gets wrapped with this command

    wrapper: ''

    # random file to use for OpenSSL

    randfile: /var/openxpki/rand

    # Default value for import, recorded in database, can be overriden

    secret: default

  ca-signer:

    inherit: default

  vault:

    inherit: default

    #key: /etc/openxpki/ca/[% ALIAS %].pem

  scep:

    inherit: default

    backend: OpenXPKI::Crypto::Tool::LibSCEP

  # A different scep token for another scep server, served from datapool

  #scep-altra:

  #  inherit: ca-scep

  #  key_store: DATAPOOL

  #  key: "[% ALIAS %]"

# Define the secret groups

secret:

  default:

    label: Default secret group of this realm

    export: 0

    method: literal

    value: root

    # if you want to enter the password after startup via the Webui

    # replace method and value aboev with this block, kcv is optional

    # but highly recommended as wrong passwords let the engine crash

    # you can generate the kcv with "openxpkiadm hashpwd -s argon2"

    #method: plain

    #cache: daemon
    #kcv: $argon2id$v=19$m=32768,t=3,p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 



Thank you for your help

Regards,

Christophe



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to