Hi Oliver,
Thank you for your help !
I've added a bash for my openxpki user, and succeeded to read my keys
with openssl as openxpki user. So I think the permissions are right.
I've change the method from literal to plain, and entered my key
password online, which was accepted.
But I have the same errors : critical, tokens offline, unable to read
signing key...
Is there a way to increase log verbosity maybe ?
Regards,
Chris
Le 07/06/2020 à 11:39, Oliver Welter a écrit :
Hi Christophe,
the config looks good from my POV
a) check the permissions of the realm directory.
b) if you set a different password for the keys you need to adjust the
secrets section
Try to read the keys as user openxpki with the password "root" - if
this does not work its a permission problem.
Oliver
Am 05.06.20 um 18:13 schrieb Christophe Baegert:
Hi,
I've just set up my own CA and installed OpenXPKI 3.4.0 on Debian 10.
But I have warnings on the homepage, a "backend error" when validating a
cert request and another error "unable to load signing key file" in
openxpki.log. Any idea ?
WebUI :
Your system status is critical!
No CRL found! (that's true)
Active Encryption Token not available (vault-1)
System Version 3.4.0
Hostname openxpki
Config Version api 3.2 commit 0e4104 config 3.2
Tokens of type certsign
Token Alias Certificate Identifier Token Status not before not after
ca-signer-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx OFFLINE 2020-06-05 11:19:23
UTC 2022-06-05 11:19:23 UTC
Tokens of type datasafe
Token Alias Certificate Identifier Token Status not before not after
vault-1 yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy OFFLINE 2020-06-05 10:20:01 UTC
2030-06-08 10:20:01 UTC
And it can't generate any cert (backend communication error)
This is the content of the openxpki.log
2020/06/05 17:08:41 ERROR OpenSSL error:
139975404565632:error:08064066:object identifier routines:OBJ_create:oid
exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
139975404565632:error:0D0AE0AB:asn1 encoding
routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
139975404565632:error:0E07606D:configuration file
routines:module_run:module initialization
error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids,
retcode=-1
139975404565632:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139975404565632:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
139975404565632:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt
error:../crypto/pkcs12/p12_decr.c:94:
139975404565632:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
lib:../crypto/pem/pem_pkey.c:88:
[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR OpenSSL error:
140605842875520:error:08064066:object identifier routines:OBJ_create:oid
exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
140605842875520:error:0D0AE0AB:asn1 encoding
routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
140605842875520:error:0E07606D:configuration file
routines:module_run:module initialization
error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids,
retcode=-1
140605842875520:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
140605842875520:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
140605842875520:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt
error:../crypto/pkcs12/p12_decr.c:94:
140605842875520:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
lib:../crypto/pem/pem_pkey.c:88:
[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__
=> 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR OpenSSL error:
139968748442752:error:08064066:object identifier routines:OBJ_create:oid
exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
139968748442752:error:0D0AE0AB:asn1 encoding
routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38:
139968748442752:error:0E07606D:configuration file
routines:module_run:module initialization
error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids,
retcode=-1
139968748442752:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
139968748442752:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
139968748442752:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt
error:../crypto/pkcs12/p12_decr.c:94:
139968748442752:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
lib:../crypto/pem/pem_pkey.c:88:
[pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 512 [pid=16833|sid=8MLl]
2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
[pid=16833|sid=8MLl]
This the content of my realm directory
root@openxpki:/etc/openxpki/ca# ls -lsrtd myownrealm/*
0 lrwxrwxrwx 1 root root 42 mai 18 15:17 myownrealm/scep-1.pem
-> /etc/openxpki/ca/myownrealm/MYCOMPANY_SCEP_RA.key
0 lrwxrwxrwx 1 root root 45 mai 18 15:17
myownrealm/ca-signer-1.pem ->
/etc/openxpki/ca/myownrealm/MYCOMPANY_Issuing_CA.key
4 -r--r--r-- 1 root openxpki 1192 juin 5 12:13
myownrealm/MYCOMPANY_Root_CA.crt
4 -r--r----- 1 root openxpki 1766 juin 5 12:13
myownrealm/MYCOMPANY_Root_CA.key
4 -r--r----- 1 root openxpki 19 juin 5 12:19
myownrealm/MYCOMPANY_Issuing_CA.pass
4 -r--r----- 1 root openxpki 3414 juin 5 12:20
myownrealm/MYCOMPANY_Issuing_CA.key
4 -rw-r--r-- 1 root root 1752 juin 5 12:20
myownrealm/MYCOMPANY_Issuing_CA.csr
4 -r--r----- 1 root openxpki 19 juin 5 12:20
myownrealm/MYCOMPANY_DataVault.pass
4 -r--r----- 1 root openxpki 3422 juin 5 12:20
myownrealm/MYCOMPANY_DataVault.key
4 -r--r----- 1 root openxpki 19 juin 5 12:20
myownrealm/MYCOMPANY_SCEP_RA.pass
4 -r--r--r-- 1 root openxpki 1870 juin 5 12:20
myownrealm/MYCOMPANY_DataVault.crt
4 -r--r----- 1 root openxpki 3422 juin 5 12:20
myownrealm/MYCOMPANY_SCEP_RA.key
4 -rw-r--r-- 1 root root 1671 juin 5 12:20
myownrealm/MYCOMPANY_SCEP_RA.csr
4 -r--r----- 1 root openxpki 19 juin 5 12:20
myownrealm/MYCOMPANY_WebUI.pass
4 -rw-r--r-- 1 root root 1724 juin 5 12:20
myownrealm/MYCOMPANY_WebUI.csr
4 -r--r----- 1 root root 3414 juin 5 12:32
myownrealm/MYCOMPANY_WebUI.key.bak
4 -r--r----- 1 root openxpki 3243 juin 5 12:33
myownrealm/MYCOMPANY_WebUI.key
4 -rw-r--r-- 1 root root 1346 juin 5 12:33
myownrealm/MYCOMPANY_WebUI.crt
4 -rw-r--r-- 1 root root 41 juin 5 13:19
myownrealm/MYCOMPANY_Root_CA.srl
4 -rw-r--r-- 1 root root 1424 juin 5 13:19
myownrealm/MYCOMPANY_Issuing_CA.crt
0 lrwxrwxrwx 1 root root 44 juin 5 13:32 myownrealm/vault-1.pem
-> /etc/openxpki/ca/myownrealm/MYCOMPANY_DataVault.key
4 -rw-r--r-- 1 root root 33 juin 5 16:49
myownrealm/MYCOMPANY_Root_CA.pass
This is my realm conf file (crypto.yaml) :
#Sample Mockup Config for Token config of a single realm
# The left side are fixed aliases used in the code, the right side
# are aribtrary chosen names, referencing the tokens below.
type:
certsign: ca-signer
datasafe: vault
scep: scep
# The actual token setup, based on current token.xml
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem
# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
# Default value for import, recorded in database, can be overriden
secret: default
ca-signer:
inherit: default
vault:
inherit: default
#key: /etc/openxpki/ca/[% ALIAS %].pem
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
# A different scep token for another scep server, served from datapool
#scep-altra:
# inherit: ca-scep
# key_store: DATAPOOL
# key: "[% ALIAS %]"
# Define the secret groups
secret:
default:
label: Default secret group of this realm
export: 0
method: literal
value: root
# if you want to enter the password after startup via the Webui
# replace method and value aboev with this block, kcv is optional
# but highly recommended as wrong passwords let the engine crash
# you can generate the kcv with "openxpkiadm hashpwd -s argon2"
#method: plain
#cache: daemon
#kcv:
$argon2id$v=19$m=32768,t=3,p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you for your help
Regards,
Christophe
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Christophe Baegert
Lixium
http://www.lixium.fr
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
