Hello Mark, our vagrant test machine works as expected with the debian 3.6.1 packages from the mirror and the sampleconfig.sh so I am unable to reproduce the problem...
For manual setup check the QUICKSTART document inside the config repo https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md Oliver Am 20.08.20 um 14:05 schrieb Mark Robson: > Hi Oliver, > > I didn't hear back from you, so I hope everything is ok. If you could let me > know of any progress with this, that would be great. > > Kind Regards, > Mark > > -----Original Message----- > From: Mark Robson > Sent: 06 August 2020 09:39 > To: [email protected] > Subject: RE: [OpenXPKI-users] V3.6 instructions wrong? > > Hi Oliver, > > Thanks for the reply, I really appreciate the guidance. > > The error in the logs I get is below, but this implies that it is looking for > "/etc/openxpki/tls/endentity/" which also doesn't exist, do I manually > create this aswell as the /etc/openxpki/tls/chain/? > > I have also searched the system for openxpki.crt using sudo find -name > openxpki.crt and it doesn't exist. At what point in the guide is this > performed? I assumed it was created as a part of the sampleconfig.sh. If I > run this file again, it simply states that things already exist in the > database. > > ============================= > sudo journalctl -xe > Aug 06 09:30:00 openxpki sudo[2451]: pam_unix(sudo:session): session closed > for user root Aug 06 09:30:01 openxpki CRON[2475]: pam_unix(cron:session): > session opened for user root by (uid=0) Aug 06 09:30:01 openxpki CRON[2476]: > (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; > then /usr/sbin/invoke-rc.d anacron start >/dev Aug 06 09:30:01 openxpki > CRON[2475]: pam_unix(cron:session): session closed for user root > Aug 06 09:30:23 openxpki sudo[2481]: user : TTY=pts/0 ; > PWD=/home/user/Documents ; USER=root ; COMMAND=/usr/sbin/service apache2 > restart > Aug 06 09:30:23 openxpki sudo[2481]: pam_unix(sudo:session): session opened > for user root by (uid=0) Aug 06 09:30:23 openxpki systemd[1]: Starting The > Apache HTTP Server... > -- Subject: A start job for unit apache2.service has begun execution > -- Defined-By: systemd > -- Support: https://www.debian.org/support > -- > -- A start job for unit apache2.service has begun execution. > -- > -- The job identifier is 1560. > Aug 06 09:30:23 openxpki apachectl[2487]: AH00526: Syntax error on line 37 of > /etc/apache2/sites-enabled/openxpki.conf: > Aug 06 09:30:23 openxpki apachectl[2487]: SSLCertificateFile: file > '/etc/openxpki/tls/endentity/openxpki.crt' does not exist or is empty Aug 06 > 09:30:23 openxpki apachectl[2487]: Action 'start' failed. > Aug 06 09:30:23 openxpki apachectl[2487]: The Apache error log may have more > information. > Aug 06 09:30:23 openxpki systemd[1]: apache2.service: Control process exited, > code=exited, status=1/FAILURE > -- Subject: Unit process exited > -- Defined-By: systemd > -- Support: https://www.debian.org/support > -- > -- An ExecStart= process belonging to unit apache2.service has exited. > -- > -- The process' exit code is 'exited' and its exit status is 1. > Aug 06 09:30:23 openxpki systemd[1]: apache2.service: Failed with result > 'exit-code'. > -- Subject: Unit failed > -- Defined-By: systemd > -- Support: https://www.debian.org/support > -- > -- The unit apache2.service has entered the 'failed' state with result > 'exit-code'. > Aug 06 09:30:23 openxpki systemd[1]: Failed to start The Apache HTTP Server. > -- Subject: A start job for unit apache2.service has failed > -- Defined-By: systemd > -- Support: https://www.debian.org/support > -- > -- A start job for unit apache2.service has finished with a failure. > -- > -- The job identifier is 1560 and the job result is failed. > Aug 06 09:30:23 openxpki sudo[2481]: pam_unix(sudo:session): session closed > for user root > Aug 06 09:30:44 openxpki sudo[2502]: user : TTY=pts/0 ; > PWD=/home/user/Documents ; USER=root ; COMMAND=/usr/bin/journalctl -xe > Aug 06 09:30:44 openxpki sudo[2502]: pam_unix(sudo:session): session opened > for user root by (uid=0) =============================================== > > Kind regards, > Mark Robson > > > > > > > > > > > > > > > -----Original Message----- > From: Oliver Welter <[email protected]> > Sent: 06 August 2020 07:13 > To: [email protected] > Subject: Re: [OpenXPKI-users] V3.6 instructions wrong? > > CAUTION: This email originated from outside of the organisation. Do not click > on a link or open an attachment unless you recognise the sender and know the > content is safe. > ________________________________ > > Hello Mark, > > Am 05.08.20 um 13:32 schrieb Mark Robson: > >> "Starting with release 3.6 the default config uses the database to >> store the issuing ca and SCEP tokens - if you upgrade from an older >> config version check the new settings in systems/crypto.yaml." > >> This states that in 3.6 the certs are stored in the database, but when >> you run import root CA it fails. This kind of makes sense because you >> have it in the DB, where I'm guessing it is supposed to go. > > The certs have ALWAYS been in the database, the news is that the KEYs are now > alos loaded into the database and you dont need to place them onto the > filesystem any longer. This is only relevant if you upgrade the config, if > you have a running config and update the code only, the keys will stay in the > filesystem. > > So some more diagnostic info is appreciated - note, v3.6.0 had a bug in the > openxpkiadm import, so make sure you have 3.6.1 installed! > >> However when you then do openxpkictl start the server starts but you >> can't load the web ui. > > I must admit you are right - the new config references > "/etc/openxpki/tls/chain" as chain directory for TLS Client auth and > unfortunately apache is a bit picky and crashes if this path does not exists > and have at least one certificate in it. The > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsampleconfig.sh&c=E,1,uwlT8OkD8lRJnQrvnJYwtPT4QSErsbfLcEKQnjx0_NmMCiC_-wrz9l4Ra8BKJ1JeEB0nCC00aU4k9DqScGPyo4gFW4HlMSD5PiJGxLgw33jtjhd1qSvBxnUG&typo=1 > creates this but the package itself not :( > >> Instead if you try and restart apache, you get to see an error in the >> journal, which complains about a tls directory being missing, >> (/etc/openxpki/tls/) and therefore fails. > > Expected fix: Create /etc/openxpki/tls/chain/, place your root certificate in > it and ru n"c_rehash /etc/openxpki/tls/chain/" > > Oli > -- > Protect your environment - close windows and adopt a penguin! > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
