Hi, this means that a second request with the same CSR hits the server before the first one has written the needed artefacts for a "pickup" to the database - or - that the first workflow crashed while writing to the database. Check your workflow logs for problems with the workflow.
Oliver Am 29.01.21 um 13:39 schrieb Per Abildgaard Toft: > Hi, > > After digging for days, i have found out that SCEP does not support EC > keys, and changing the cert to a RSA based helped allot. However, not > I am stuck at a workflow problem and I dont > have a clue where to start. > > Could someone point me in the right direction? > > > root@internal-ca02:/etc/openxpki/scep# cat default.conf > [global] > log_config = /etc/openxpki/scep/log.conf > log_facility = client.scep > > service=LibSCEP > socket=/var/openxpki/openxpki.socket > realm=netic > iprange=0.0.0.0/0 <http://0.0.0.0/0> > servername=generic > encryption_algorithm=3DES > hash_algorithm=SHA256 > > root@internal-ca02:/etc/openxpki/config.d/realm/netic/scep# cat > generic.yaml > # By default, all scep endpoints wll use the default token defined > # by the scep token group, if you pass a name here, it is considered > # a group name from the alias table > #token: scep-altra > > # A renewal request is only accpeted if the used certificate will > # expire within this period of time. > renewal_period: 000060 > > # If the request was a replacement, optionally revoke the replaced > # certificate after a grace period > revoke_on_replace: > reason_code: keyCompromise > delay_revocation_time: +000014 > > > workflow: > type: certificate_enroll > param: > # key: name in workflow context, value: parameter from scep > wrapper > # server and interface are always set, the mapping below is > # the default set that is used when no map is given > transaction_id: transaction_id > signer_cert: signer_cert > pkcs10: pkcs10 > _url_params: url_params > #_pkcs7: pkcs7 > > authorized_signer: > rule1: > # Full DN > subject: CN=.+:pkiclient,.* > # rule2: > # Full DN > # profile: netic_server > # realm: netic > # subject: CN=my.scep.enroller.com:generic,.* > > policy: > # Authentication Options > # Initial requests need ONE authentication. > # Activate Challenge Password and/or HMAC by setting the appropriate > # options below. > > # if set requests can be authenticated by an operator > allow_man_authen: 1 > > # if set, no authentication is required at all and hmac/challenge is > # not evaluated even if it is set/present in the request! > allow_anon_enroll: 1 > > # Approval > # If not autoapproved, allow opeerator to add approval by hand > allow_man_approv: 1 > > # if the eligibiliyt check failed the first time > # show a button to run a recheck (Workflow goes to PENDING) > allow_eligibility_recheck: 1 > > # Approval points requirede (eligibity and operator count as one > point each) > # if you set this to "0", all authenticated requests are > auto-approved! > approval_points: 1 > > # The number of active certs with the same subject that are allowed > # to exist at the same time, deducted by one if a renewal is seen > # set to 0 if you dont want to check for duplicates at all > max_active_certs: 1 > > # option will be removed > # allow_expired_signer: 0 > > # If an initial enrollment is seen > # all existing certificates with the same subject are revoked > auto_revoke_existing_certs: 1 > > # allows a "renewal" outside the renewal window, the notafter date > # is aligned to the old certificate. Set revoke_on_replace option > # to revoke the replaced certificate. > # This substitutes the "replace_window" from the OpenXPKI v1 config > allow_replace: 1 > > response: > # The scep standard is a bit unclear if the root should be in the > chain > # or not. We consider it a security risk (trust should be always set > # by hand) but as most clients seem to expect it, we include the root > # by default. > # The getca response contains the certificate of the SCEP server > itself > # and of the current active issuer (which can but need not to be > the same!) > # You can define weather to have only the certificate itself > (endentity), > # the chain without the root (chain) or the chain including the root > # (fullchain). > # Note: The response is cached internally in the datapool so changes > # will not show up immediately - to list the cached items use > # openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca > # You can delete by setting the empty string as value with > # set_data_pool_entry (value="" force=1) > getca: > ra: fullchain > issuer: fullchain > > > profile: > cert_profile: netic_server > cert_subject_style: enroll > > # Mapping of names to OpenXPKI profiles to be used with the > # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) > profile_map: > pc-client: netic_user > > # HMAC based authentication > hmac: Netic! > > challenge: > value: Netic! > > eligible: > initial: > value@: connector:scep.generic.connector.initial > args: '[% context.cert_subject_parts.CN.0 %]' > expect: > - Build > - New > > renewal: > value: 1 > > onbehalf: > value: 1 > > > connector: > initial: > class: Connector::Proxy::YAML > # this file must have a key/value list with the key being > # the subject and the value being a true value > # e.g. "pc1234.example.org <http://pc1234.example.org>: 1" > LOCATION: /etc/openxpki/cmdb.yaml > > scep.log: > 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with > GetCACaps [pid=81] > 2021/01/29 12:34:50 DEB Response send [pid=81] > 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with > PKIOperation [pid=81] > 2021/01/29 12:34:50 ERR SCEP response is empty [pid=81] > > catch-all.log: > 2021/01/29 13:35:17 openxpki.application.INFO > <http://openxpki.application.INFO> LibSCEP PKIOperation; message type: > PKCSReq [pid=57|sid=PYVL] > 2021/01/29 13:35:17 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP incoming request, id > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > 2021/01/29 13:35:17 openxpki.system.ERROR > I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; > __DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ => > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > 2021/01/29 13:35:17 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': > I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; > __DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ => > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > > Med venlig hilsen / Best regards > > *Netic A/S* > Per Abildgaard Toft > Senior Consultant > > mail...@netic.dk <mailto:p...@netic.dk> > Telefon+45 7777 0861 > Webhttp://netic.dk <http://netic.dk/> > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
