I would double check your permissions to the actual log files /var/log/openxpki I had nothing but failures for some reason and I looked at the apache2 log files and it had a permission denied to the log files. As soon as I relaxed the permission on those log files it fired up as expected. Thanks John
-----Original Message----- From: Oliver Welter <[email protected]> Sent: Sunday, June 14, 2020 7:14 AM To: [email protected] Subject: Re: [OpenXPKI-users] Active Encryption Token not available (vault-1) / unable to load signing key file Hi Chris, an accepted password does not tell anything about the key - current community version of OpenXPKI just writes the password into the internal secret storage without doing any sanity checks (you can add a KCV to check the secret but this also does not tell you anything on the keys). You can control the log verbosity in the log.conf file or even add the "--debug" flag to openxpkictl - details are in the man page. I have also added a new call "get_token_info" on the development head that might be helpfull but requires that you get this code onto your machines. best regards Oliver Am 09.06.20 um 00:20 schrieb Christophe Baegert: > Hi Oliver, > > > Thank you for your help ! > > I've added a bash for my openxpki user, and succeeded to read my keys > with openssl as openxpki user. So I think the permissions are right. > > I've change the method from literal to plain, and entered my key > password online, which was accepted. > > But I have the same errors : critical, tokens offline, unable to read > signing key... > > Is there a way to increase log verbosity maybe ? > > > Regards, > > Chris > > > Le 07/06/2020 à 11:39, Oliver Welter a écrit : >> Hi Christophe, >> >> the config looks good from my POV >> >> a) check the permissions of the realm directory. >> b) if you set a different password for the keys you need to adjust >> the secrets section >> >> Try to read the keys as user openxpki with the password "root" - if >> this does not work its a permission problem. >> >> Oliver >> >> >> Am 05.06.20 um 18:13 schrieb Christophe Baegert: >>> Hi, >>> >>> >>> I've just set up my own CA and installed OpenXPKI 3.4.0 on Debian 10. >>> But I have warnings on the homepage, a "backend error" when >>> validating a cert request and another error "unable to load signing >>> key file" in openxpki.log. Any idea ? >>> >>> >>> WebUI : >>> >>> Your system status is critical! >>> >>> No CRL found! (that's true) >>> >>> Active Encryption Token not available (vault-1) >>> >>> System Version 3.4.0 >>> Hostname openxpki >>> Config Version api 3.2 commit 0e4104 config 3.2 >>> >>> Tokens of type certsign >>> >>> Token Alias Certificate Identifier Token Status not before not >>> after >>> ca-signer-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx OFFLINE 2020-06-05 >>> 11:19:23 UTC 2022-06-05 11:19:23 UTC >>> >>> Tokens of type datasafe >>> >>> Token Alias Certificate Identifier Token Status not before not after >>> vault-1 yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy OFFLINE 2020-06-05 10:20:01 >>> UTC >>> 2030-06-08 10:20:01 UTC >>> >>> And it can't generate any cert (backend communication error) >>> >>> >>> This is the content of the openxpki.log >>> >>> 2020/06/05 17:08:41 ERROR OpenSSL error: >>> 139975404565632:error:08064066:object identifier >>> routines:OBJ_create:oid >>> exists:../crypto/objects/obj_dat.c:709: >>> >>> unable to load signing key file >>> >>> 139975404565632:error:0D0AE0AB:asn1 encoding >>> routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: >>> >>> 139975404565632:error:0E07606D:configuration file >>> routines:module_run:module initialization >>> error:../crypto/conf/conf_mod.c:177:module=oid_section, >>> value=new_oids, >>> retcode=-1 >>> >>> 139975404565632:error:06065064:digital envelope >>> routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: >>> >>> 139975404565632:error:23077074:PKCS12 >>> routines:PKCS12_pbe_crypt:pkcs12 cipherfinal >>> error:../crypto/pkcs12/p12_decr.c:63: >>> >>> 139975404565632:error:2306A075:PKCS12 >>> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt >>> error:../crypto/pkcs12/p12_decr.c:94: >>> >>> 139975404565632:error:0907B00D:PEM >>> routines:PEM_read_bio_PrivateKey:ASN1 >>> lib:../crypto/pem/pem_pkey.c:88: >>> >>> [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; >>> __COMMAND__ => >>> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, >>> __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR OpenSSL error: >>> 140605842875520:error:08064066:object identifier >>> routines:OBJ_create:oid >>> exists:../crypto/objects/obj_dat.c:709: >>> >>> unable to load signing key file >>> >>> 140605842875520:error:0D0AE0AB:asn1 encoding >>> routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: >>> >>> 140605842875520:error:0E07606D:configuration file >>> routines:module_run:module initialization >>> error:../crypto/conf/conf_mod.c:177:module=oid_section, >>> value=new_oids, >>> retcode=-1 >>> >>> 140605842875520:error:06065064:digital envelope >>> routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: >>> >>> 140605842875520:error:23077074:PKCS12 >>> routines:PKCS12_pbe_crypt:pkcs12 cipherfinal >>> error:../crypto/pkcs12/p12_decr.c:63: >>> >>> 140605842875520:error:2306A075:PKCS12 >>> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt >>> error:../crypto/pkcs12/p12_decr.c:94: >>> >>> 140605842875520:error:0907B00D:PEM >>> routines:PEM_read_bio_PrivateKey:ASN1 >>> lib:../crypto/pem/pem_pkey.c:88: >>> >>> [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; >>> __COMMAND__ => >>> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, >>> __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR OpenSSL error: >>> 139968748442752:error:08064066:object identifier >>> routines:OBJ_create:oid >>> exists:../crypto/objects/obj_dat.c:709: >>> >>> unable to load signing key file >>> >>> 139968748442752:error:0D0AE0AB:asn1 encoding >>> routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: >>> >>> 139968748442752:error:0E07606D:configuration file >>> routines:module_run:module initialization >>> error:../crypto/conf/conf_mod.c:177:module=oid_section, >>> value=new_oids, >>> retcode=-1 >>> >>> 139968748442752:error:06065064:digital envelope >>> routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: >>> >>> 139968748442752:error:23077074:PKCS12 >>> routines:PKCS12_pbe_crypt:pkcs12 cipherfinal >>> error:../crypto/pkcs12/p12_decr.c:63: >>> >>> 139968748442752:error:2306A075:PKCS12 >>> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt >>> error:../crypto/pkcs12/p12_decr.c:94: >>> >>> 139968748442752:error:0907B00D:PEM >>> routines:PEM_read_bio_PrivateKey:ASN1 >>> lib:../crypto/pem/pem_pkey.c:88: >>> >>> [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; >>> __COMMAND__ => >>> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, >>> __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; >>> __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] >>> >>> This the content of my realm directory >>> >>> root@openxpki:/etc/openxpki/ca# ls -lsrtd myownrealm/* >>> >>> 0 lrwxrwxrwx 1 root root 42 mai 18 15:17 >>> myownrealm/scep-1.pem >>> -> /etc/openxpki/ca/myownrealm/MYCOMPANY_SCEP_RA.key >>> >>> 0 lrwxrwxrwx 1 root root 45 mai 18 15:17 >>> myownrealm/ca-signer-1.pem -> >>> /etc/openxpki/ca/myownrealm/MYCOMPANY_Issuing_CA.key >>> >>> 4 -r--r--r-- 1 root openxpki 1192 juin 5 12:13 >>> myownrealm/MYCOMPANY_Root_CA.crt >>> >>> 4 -r--r----- 1 root openxpki 1766 juin 5 12:13 >>> myownrealm/MYCOMPANY_Root_CA.key >>> >>> 4 -r--r----- 1 root openxpki 19 juin 5 12:19 >>> myownrealm/MYCOMPANY_Issuing_CA.pass >>> >>> 4 -r--r----- 1 root openxpki 3414 juin 5 12:20 >>> myownrealm/MYCOMPANY_Issuing_CA.key >>> >>> 4 -rw-r--r-- 1 root root 1752 juin 5 12:20 >>> myownrealm/MYCOMPANY_Issuing_CA.csr >>> >>> 4 -r--r----- 1 root openxpki 19 juin 5 12:20 >>> myownrealm/MYCOMPANY_DataVault.pass >>> >>> 4 -r--r----- 1 root openxpki 3422 juin 5 12:20 >>> myownrealm/MYCOMPANY_DataVault.key >>> >>> 4 -r--r----- 1 root openxpki 19 juin 5 12:20 >>> myownrealm/MYCOMPANY_SCEP_RA.pass >>> >>> 4 -r--r--r-- 1 root openxpki 1870 juin 5 12:20 >>> myownrealm/MYCOMPANY_DataVault.crt >>> >>> 4 -r--r----- 1 root openxpki 3422 juin 5 12:20 >>> myownrealm/MYCOMPANY_SCEP_RA.key >>> >>> 4 -rw-r--r-- 1 root root 1671 juin 5 12:20 >>> myownrealm/MYCOMPANY_SCEP_RA.csr >>> >>> 4 -r--r----- 1 root openxpki 19 juin 5 12:20 >>> myownrealm/MYCOMPANY_WebUI.pass >>> >>> 4 -rw-r--r-- 1 root root 1724 juin 5 12:20 >>> myownrealm/MYCOMPANY_WebUI.csr >>> >>> 4 -r--r----- 1 root root 3414 juin 5 12:32 >>> myownrealm/MYCOMPANY_WebUI.key.bak >>> >>> 4 -r--r----- 1 root openxpki 3243 juin 5 12:33 >>> myownrealm/MYCOMPANY_WebUI.key >>> >>> 4 -rw-r--r-- 1 root root 1346 juin 5 12:33 >>> myownrealm/MYCOMPANY_WebUI.crt >>> >>> 4 -rw-r--r-- 1 root root 41 juin 5 13:19 >>> myownrealm/MYCOMPANY_Root_CA.srl >>> >>> 4 -rw-r--r-- 1 root root 1424 juin 5 13:19 >>> myownrealm/MYCOMPANY_Issuing_CA.crt >>> >>> 0 lrwxrwxrwx 1 root root 44 juin 5 13:32 >>> myownrealm/vault-1.pem >>> -> /etc/openxpki/ca/myownrealm/MYCOMPANY_DataVault.key >>> >>> 4 -rw-r--r-- 1 root root 33 juin 5 16:49 >>> myownrealm/MYCOMPANY_Root_CA.pass >>> >>> >>> This is my realm conf file (crypto.yaml) : >>> >>> #Sample Mockup Config for Token config of a single realm >>> >>> # The left side are fixed aliases used in the code, the right side >>> >>> # are aribtrary chosen names, referencing the tokens below. >>> >>> type: >>> >>> certsign: ca-signer >>> >>> datasafe: vault >>> >>> scep: scep >>> >>> # The actual token setup, based on current token.xml >>> >>> token: >>> >>> default: >>> >>> backend: OpenXPKI::Crypto::Backend::OpenSSL >>> >>> # Template to create key, available vars are >>> >>> # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) >>> >>> key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem >>> >>> # possible values are OpenSSL, nCipher, LunaCA >>> >>> engine: OpenSSL >>> >>> engine_section: '' >>> >>> engine_usage: '' >>> >>> key_store: OPENXPKI >>> >>> # OpenSSL binary location >>> >>> shell: /usr/bin/openssl >>> >>> # OpenSSL binary call gets wrapped with this command >>> >>> wrapper: '' >>> >>> # random file to use for OpenSSL >>> >>> randfile: /var/openxpki/rand >>> >>> # Default value for import, recorded in database, can be >>> overriden >>> >>> secret: default >>> >>> ca-signer: >>> >>> inherit: default >>> >>> vault: >>> >>> inherit: default >>> >>> #key: /etc/openxpki/ca/[% ALIAS %].pem >>> >>> scep: >>> >>> inherit: default >>> >>> backend: OpenXPKI::Crypto::Tool::LibSCEP >>> >>> # A different scep token for another scep server, served from >>> datapool >>> >>> #scep-altra: >>> >>> # inherit: ca-scep >>> >>> # key_store: DATAPOOL >>> >>> # key: "[% ALIAS %]" >>> >>> # Define the secret groups >>> >>> secret: >>> >>> default: >>> >>> label: Default secret group of this realm >>> >>> export: 0 >>> >>> method: literal >>> >>> value: root >>> >>> # if you want to enter the password after startup via the Webui >>> >>> # replace method and value aboev with this block, kcv is >>> optional >>> >>> # but highly recommended as wrong passwords let the engine crash >>> >>> # you can generate the kcv with "openxpkiadm hashpwd -s argon2" >>> >>> #method: plain >>> >>> #cache: daemon >>> >>> #kcv: >>> $argon2id$v=19$m=32768,t=3,p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> >>> >>> >>> >>> Thank you for your help >>> >>> Regards, >>> >>> Christophe >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Christophe Baegert > > Lixium > > http://www.lixium.fr > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
