Hi Oliver, Thanks for the reply, I really appreciate the guidance.
The error in the logs I get is below, but this implies that it is looking for "/etc/openxpki/tls/endentity/" which also doesn't exist, do I manually create this aswell as the /etc/openxpki/tls/chain/? I have also searched the system for openxpki.crt using sudo find -name openxpki.crt and it doesn't exist. At what point in the guide is this performed? I assumed it was created as a part of the sampleconfig.sh. If I run this file again, it simply states that things already exist in the database. ============================= sudo journalctl -xe Aug 06 09:30:00 openxpki sudo[2451]: pam_unix(sudo:session): session closed for user root Aug 06 09:30:01 openxpki CRON[2475]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 06 09:30:01 openxpki CRON[2476]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev Aug 06 09:30:01 openxpki CRON[2475]: pam_unix(cron:session): session closed for user root Aug 06 09:30:23 openxpki sudo[2481]: user : TTY=pts/0 ; PWD=/home/user/Documents ; USER=root ; COMMAND=/usr/sbin/service apache2 restart Aug 06 09:30:23 openxpki sudo[2481]: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 06 09:30:23 openxpki systemd[1]: Starting The Apache HTTP Server... -- Subject: A start job for unit apache2.service has begun execution -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit apache2.service has begun execution. -- -- The job identifier is 1560. Aug 06 09:30:23 openxpki apachectl[2487]: AH00526: Syntax error on line 37 of /etc/apache2/sites-enabled/openxpki.conf: Aug 06 09:30:23 openxpki apachectl[2487]: SSLCertificateFile: file '/etc/openxpki/tls/endentity/openxpki.crt' does not exist or is empty Aug 06 09:30:23 openxpki apachectl[2487]: Action 'start' failed. Aug 06 09:30:23 openxpki apachectl[2487]: The Apache error log may have more information. Aug 06 09:30:23 openxpki systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE -- Subject: Unit process exited -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- An ExecStart= process belonging to unit apache2.service has exited. -- -- The process' exit code is 'exited' and its exit status is 1. Aug 06 09:30:23 openxpki systemd[1]: apache2.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- The unit apache2.service has entered the 'failed' state with result 'exit-code'. Aug 06 09:30:23 openxpki systemd[1]: Failed to start The Apache HTTP Server. -- Subject: A start job for unit apache2.service has failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit apache2.service has finished with a failure. -- -- The job identifier is 1560 and the job result is failed. Aug 06 09:30:23 openxpki sudo[2481]: pam_unix(sudo:session): session closed for user root Aug 06 09:30:44 openxpki sudo[2502]: user : TTY=pts/0 ; PWD=/home/user/Documents ; USER=root ; COMMAND=/usr/bin/journalctl -xe Aug 06 09:30:44 openxpki sudo[2502]: pam_unix(sudo:session): session opened for user root by (uid=0) =============================================== Kind regards, Mark Robson -----Original Message----- From: Oliver Welter <[email protected]> Sent: 06 August 2020 07:13 To: [email protected] Subject: Re: [OpenXPKI-users] V3.6 instructions wrong? CAUTION: This email originated from outside of the organisation. Do not click on a link or open an attachment unless you recognise the sender and know the content is safe. ________________________________ Hello Mark, Am 05.08.20 um 13:32 schrieb Mark Robson: > "Starting with release 3.6 the default config uses the database to > store the issuing ca and SCEP tokens - if you upgrade from an older > config version check the new settings in systems/crypto.yaml." > This states that in 3.6 the certs are stored in the database, but when > you run import root CA it fails. This kind of makes sense because you > have it in the DB, where I'm guessing it is supposed to go. The certs have ALWAYS been in the database, the news is that the KEYs are now alos loaded into the database and you dont need to place them onto the filesystem any longer. This is only relevant if you upgrade the config, if you have a running config and update the code only, the keys will stay in the filesystem. So some more diagnostic info is appreciated - note, v3.6.0 had a bug in the openxpkiadm import, so make sure you have 3.6.1 installed! > However when you then do openxpkictl start the server starts but you > can't load the web ui. I must admit you are right - the new config references "/etc/openxpki/tls/chain" as chain directory for TLS Client auth and unfortunately apache is a bit picky and crashes if this path does not exists and have at least one certificate in it. The https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsampleconfig.sh&c=E,1,uwlT8OkD8lRJnQrvnJYwtPT4QSErsbfLcEKQnjx0_NmMCiC_-wrz9l4Ra8BKJ1JeEB0nCC00aU4k9DqScGPyo4gFW4HlMSD5PiJGxLgw33jtjhd1qSvBxnUG&typo=1 creates this but the package itself not :( > Instead if you try and restart apache, you get to see an error in the > journal, which complains about a tls directory being missing, > (/etc/openxpki/tls/) and therefore fails. Expected fix: Create /etc/openxpki/tls/chain/, place your root certificate in it and ru n"c_rehash /etc/openxpki/tls/chain/" Oli -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
