Hi again, I have found the stuck workflow in the db and removed it.
sscep enroll -u http://internal-ca/scep -k local.key -r local.csr -c ca.crt-0 -l local.crt -t 10 -n 1 -v I am back of an error I have seen many times before, which is a workflow error. ==> scep.log <== 2021/02/02 07:37:23 INF Incoming request from 192.168.96.1 with GetCACaps [pid=137] 2021/02/02 07:37:23 DEB Response send [pid=137] 2021/02/02 07:37:23 INF Incoming request from 192.168.96.1 with GetCACert [pid=137] 2021/02/02 07:37:23 DEB Response send [pid=137] 2021/02/02 07:37:35 INF Incoming request from 192.168.96.1 with GetCACaps [pid=137] 2021/02/02 07:37:35 DEB Response send [pid=137] 2021/02/02 07:38:02 INF Incoming request from 192.168.96.1 with GetCACaps [pid=137] 2021/02/02 07:38:02 DEB Response send [pid=137] 2021/02/02 07:38:02 DEB Got PKIOperation via POST [pid=137] 2021/02/02 07:38:02 DEB Decoded SCEP message MIIK2gYJKoZIhvcNAQcCoIIKyzCCCscCAQExDjAMBggqhkiG9w0CBQUAMIIFtQYJKoZIhvcNAQcB oIIFpgSCBaIwggWeBgkqhkiG9w0BBwOgggWPMIIFiwIBADGCAm4wggJqAgEAMFIwOjELMAkGA1UE BhMCREsxDjAMBgNVBAoMBU5ldGljMRswGQYDVQQDDBJOZXRpYyBJc3N1aW5nIENBIDECFCCSBv0t VmOdGR3VEJIlZf9RO6DKMA0GCSqGSIb3DQEBAQUABIICAF6Uc86LQrDB3sSRxGfXKDYIRayNQ9HE 9mFiN9Pg2kPUwpiK+Prin9Gkhm5KpqZ0/sJDEjkKUfRrSc4bUwJLvyWWFvF5j4NynffFyaDi9MuW C1NL3/iL1ubZr7LN3DztbKBRkLkBefqlyrKVF9dUy2gzlumf7loj+LjHexo1n75sTeHalbjUVbJy 4q79XyH9GQrD1fX2+AU3c2j51oerps/lXizptVFFvPvHFWpr3C8hN2wq2Uo4l9ZCW+csrz6LGB+Z 56EvXm45hWV9OltJxnd90hioMvxJUWevBPb+KOf1F+XeFz91M0stNWG6efbQdheZmbKwnK1kkOCm Xs5Dd4w+P3Xv2vc10it1cRakFFlTSJ8xQJzF/s88uY2Ly1G608QGJsSmY2blOS7yDD6mSVzWOapV LHV6OiaYYeC6kU6HVbOkEKZQD8vFL5rGpo9W/cv1DelW8iu9yXyOj4NaJp1hhp7RUpYWC+OtCREh DEeqY864uKnQeI6mLAjJ8kCVu0LWDTW1ECqnChluHiJHQ445QPc3ssw+4kMv4UsIy3ueQxwYI4gg xUSZH1xlgki0Qci8fBqGj2ns45RUdY54YuO+fqyu5b5prtFrIM7HRQwv4G/Cn/s3YZ4RoCkTIiJP KehRiGi6vmKyZ02fFXdAk3CxQC/H/4J8qCkySRGgQcxbMIIDEgYJKoZIhvcNAQcBMBEGBSsOAwIH BAjEFcTsAQyamICCAvAKcSSrcCCecmNATQUiiP4SuDG3hVdlLq7nv5WqPDSynpCbG0zqz3f7Sm4y fE5lEuATpKRqachqO/j3W6qao22wVAzN89UALxm4/qeNOfLZ8JmdXdSAtXWoJiEe+JTiKW8On95U Qa37MGpCnoKaXfDx72QvOYqsC57rBtKbYsN87qrBBfMY2lp4/5XsjtnbTT8pmwjTQ5mzz1VqYAUS hU2Ajn0ErOb5g/JNzdwBNfA9z+vkGmBOWXQ/uUJd0G+m2k0Bwx4q2uVFRsJuu2R6Sf8klIrh9q+I GiemXgfZZyPHhybcSrWkd9uv1TSVTUQ9f4oX3hyk2lMGgPEmiGQujVg0bN5Ce4Q2WEKEOSNs6j8Y QM+FD62WG5zOc5RD8LcHaWMr5mMw6wLbDPNFgexlNeC5NIeEEO76mHkw6RGCFuvg77TM1Bnr1E6b yCMElP04hjNO+eKPkKrIqKSCsDDNt6YgyUX8TcfLLft9VTD7m6zd0kkc6fbvm90LugFTeKMQDa5b Df4py1n52KonZlu2Shb4m50NxJSertglI6xV8xJadlKlAqm3h22o9q2M+qQTemdRE8o/xY9gkbhB 88UYHROj3QH5Ho7PiSeU7jnlFUdFaXxpqif3QllCUqJKyj3XdwFdWgCa8P2eHogURlDXetIUp0Iw D6ik8o6fAEFFif1qUgPIsr9PemM3aQB7C0GTY6aIKzP0tPhiK2oczCURZ3/nKG6dNdDJbUUw7dlH xHHVqejVh3XYLJjp5cS3C+vVTeLPxAxPH1cQ9TsXwIRn3Xx+iKkskkAJC9VXCiCuVUU+xHuJGADG i30Cz3PvQZP32tSW25LNDy7JalJTHJdZrZ0yOHNTeqn/ofgJnSRd+sCwogCkqAqrZdZ9/WswhYv9 Zuz9BCUojEixbDlFnNFz8eaFSPrpuvZl4X6nAQwTFAuwZw4iZePo9ZXsl3C31lMlTlZSN2K/e8+/ E6LGBMMflkh+1gsww7PUI5DbOW5mzfFGRqCCAsowggLGMIIBrqADAgECAiAyQzQzQUJDMjE4MjBC QjQ3MzVGMTVGMDA3NkNEMUI5ADANBgkqhkiG9w0BAQQFADAXMRUwEwYKCZImiZPyLGQBGRYFTmV0 aWMwHhcNMjEwMjAyMDczODAyWhcNMjEwMjA4MDkzODAyWjAXMRUwEwYKCZImiZPyLGQBGRYFTmV0 aWMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5AIGwxG9kG2Dzgi/+P0C8lYe6ic7K l0QcA3hONi/OPGPyAnFJViLVtMaHrEBTCDVpAKzYEKoBo+WDtXxjZfhBPRPucaB5dxpBII6YAcTx pi1K1D5hS1v0mToVdPQ8tmXRlQ6eScJ455TOScVrSsi62GyZclOpyn7Wmgp80ZDbstvZrkuKkQAS 5GZLjkjwbfBUrHlIdjg3tNniancyVjl18oPjsvYR4dqj1zRQnb6G3EFGvVKtf66oH54a9TUkRKhj PRkyV8v56soUtAI7XdFOL/TTXQ10/Xc9AiGER55leQEPExgcxAn8xcTbMDsi46zFXUaOCaFl5Idf bn8zyIbhAgMBAAEwDQYJKoZIhvcNAQEEBQADggEBAFkCMqs1uBcCTTyZJ2vpL9vagA7ztVq6hMGy 1LgdZO7i0DbCh+ae/NLUbGKKALtifFOtZee4JXrsD9wfm/EHY0mSOGYyQn6TWXXjesufXZktn1ae reNKnzCWnaCyREF+JZdUkvMzeT6h/RGkUv4vxLv5Somnu9g06mCSG8FU6wWA9Deulj7pjI27chhx ms9RoODew7/lM1KLPZ6YA9joGOjCDtkBqZDoKlDf2VgHOn8zVkuH9usgpxtgTfqGcml1sMC2WTYb u3lub4j/yS+hI5Q2yhfMJ3RLnCfRwoXUJZsVPGAmvfR8YFh0+FhgAdeYe2tdT7fUqW++qTTctO9N 0cQxggIpMIICJQIBATA7MBcxFTATBgoJkiaJk/IsZAEZFgVOZXRpYwIgMkM0M0FCQzIxODIwQkI0 NzM1RjE1RjAwNzZDRDFCOQAwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkCMQQTAjE5MBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIwMjA3MzgwMlowHwYJ KoZIhvcNAQkEMRIEECzAlKpDVeOQpFjZYlKsIUIwIAYKYIZIAYb4RQEJBTESBBC3jX3Ol+UA+LM9 ellaQDGhMDAGCmCGSAGG+EUBCQcxIhMgMkM0M0FCQzIxODIwQkI0NzM1RjE1RjAwNzZDRDFCOTcw DQYJKoZIhvcNAQEBBQAEggEAAwNSAdp56Cuuh/NznJOSfgsOPj6s1MW9Q2FQxIYtFAdcdAQy5Cfq 4RjzJMeG1y9zui8vrqlFghlWZ7keFI+oMq0pB881lq+hgKPKQXUt52xDWnMp02NP5JRHSmUwxjsF PuI7zWW8j76vJt1sFXbkKNYEaxi0gMH2CuvB2pyH+BXMd3G0fP8xolRwJoMd2hMKZZUkNpgUUo3B 1WQ7wDT3jgaHL8GcIYNmc/rATMrnbjEzn1RhNshUPwiPYWIBQObt1Qs4R+QMhJqjxxSv7BgVBzW0 gfJGO7HVmPA3+C0VU6ateLOZ/1kr/dm+CdmBk+1MKlkey/H6S21F4am86GL7gA== [pid=137] 2021/02/02 07:38:02 INF Incoming request from 192.168.96.1 with PKIOperation [pid=137] ==> catchall.log <== 2021/02/02 08:38:03 openxpki.application.INFO LibSCEP PKIOperation; message type: PKCSReq [pid=38|sid=raGB] 2021/02/02 08:38:03 openxpki.application.INFO SCEP incoming request, id 2C43ABC21820BB4735F15F0076CD1B97 [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] 2021/02/02 08:38:03 openxpki.application.INFO SCEP try to start new workflow for 2C43ABC21820BB4735F15F0076CD1B97 [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> openxpki.log <== 2021/02/02 08:38:03 ERROR I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> catchall.log <== 2021/02/02 08:38:03 openxpki.system.ERROR I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> openxpki.log <== 2021/02/02 08:38:03 ERROR Error executing workflow activity 'enroll_initialize' on workflow id 7935 (type certificate_enroll): I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> catchall.log <== 2021/02/02 08:38:03 openxpki.workflow.ERROR Error executing workflow activity 'enroll_initialize' on workflow id 7935 (type certificate_enroll): I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> openxpki.log <== 2021/02/02 08:38:03 ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> catchall.log <== 2021/02/02 08:38:03 openxpki.system.ERROR Error executing SCEP command 'PKIOperation': I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ => enroll_initialize, __ERROR__ => I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => Array(HASH(0x556c41083b50)) [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] ==> scep.log <== 2021/02/02 07:38:03 ERR SCEP response is empty [pid=137] To my understanding, its an error spawning the workflow. Error executing workflow activity 'enroll_initialize' on workflow id 7935 (type certificate_enroll): I can't find the workflow in the GUI or in the db. The scep config is default and the config points at default tls_server profile Is it possible to enable debugging so I can get an idea of why the workflow fails? Med venlig hilsen / Best regards *Netic A/S* Per Abildgaard Toft Senior Consultant Mail p...@netic.dk Telefon +45 7777 0861 Web http://netic.dk On Mon, Feb 1, 2021 at 7:19 PM Oliver Welter <m...@oliwel.de> wrote: > Hi, > > this means that a second request with the same CSR hits the server before > the first one has written the needed artefacts for a "pickup" to the > database - or - that the first workflow crashed while writing to the > database. Check your workflow logs for problems with the workflow. > > Oliver > > Am 29.01.21 um 13:39 schrieb Per Abildgaard Toft: > > Hi, > > After digging for days, i have found out that SCEP does not support EC > keys, and changing the cert to a RSA based helped allot. However, not I am > stuck at a workflow problem and I dont > have a clue where to start. > > Could someone point me in the right direction? > > > root@internal-ca02:/etc/openxpki/scep# cat default.conf > [global] > log_config = /etc/openxpki/scep/log.conf > log_facility = client.scep > > service=LibSCEP > socket=/var/openxpki/openxpki.socket > realm=netic > iprange=0.0.0.0/0 > servername=generic > encryption_algorithm=3DES > hash_algorithm=SHA256 > > root@internal-ca02:/etc/openxpki/config.d/realm/netic/scep# cat > generic.yaml > # By default, all scep endpoints wll use the default token defined > # by the scep token group, if you pass a name here, it is considered > # a group name from the alias table > #token: scep-altra > > # A renewal request is only accpeted if the used certificate will > # expire within this period of time. > renewal_period: 000060 > > # If the request was a replacement, optionally revoke the replaced > # certificate after a grace period > revoke_on_replace: > reason_code: keyCompromise > delay_revocation_time: +000014 > > > workflow: > type: certificate_enroll > param: > # key: name in workflow context, value: parameter from scep wrapper > # server and interface are always set, the mapping below is > # the default set that is used when no map is given > transaction_id: transaction_id > signer_cert: signer_cert > pkcs10: pkcs10 > _url_params: url_params > #_pkcs7: pkcs7 > > authorized_signer: > rule1: > # Full DN > subject: CN=.+:pkiclient,.* > # rule2: > # Full DN > # profile: netic_server > # realm: netic > # subject: CN=my.scep.enroller.com:generic,.* > > policy: > # Authentication Options > # Initial requests need ONE authentication. > # Activate Challenge Password and/or HMAC by setting the appropriate > # options below. > > # if set requests can be authenticated by an operator > allow_man_authen: 1 > > # if set, no authentication is required at all and hmac/challenge is > # not evaluated even if it is set/present in the request! > allow_anon_enroll: 1 > > # Approval > # If not autoapproved, allow opeerator to add approval by hand > allow_man_approv: 1 > > # if the eligibiliyt check failed the first time > # show a button to run a recheck (Workflow goes to PENDING) > allow_eligibility_recheck: 1 > > # Approval points requirede (eligibity and operator count as one point > each) > # if you set this to "0", all authenticated requests are auto-approved! > approval_points: 1 > > # The number of active certs with the same subject that are allowed > # to exist at the same time, deducted by one if a renewal is seen > # set to 0 if you dont want to check for duplicates at all > max_active_certs: 1 > > # option will be removed > # allow_expired_signer: 0 > > # If an initial enrollment is seen > # all existing certificates with the same subject are revoked > auto_revoke_existing_certs: 1 > > # allows a "renewal" outside the renewal window, the notafter date > # is aligned to the old certificate. Set revoke_on_replace option > # to revoke the replaced certificate. > # This substitutes the "replace_window" from the OpenXPKI v1 config > allow_replace: 1 > > response: > # The scep standard is a bit unclear if the root should be in the chain > # or not. We consider it a security risk (trust should be always set > # by hand) but as most clients seem to expect it, we include the root > # by default. > # The getca response contains the certificate of the SCEP server itself > # and of the current active issuer (which can but need not to be the > same!) > # You can define weather to have only the certificate itself > (endentity), > # the chain without the root (chain) or the chain including the root > # (fullchain). > # Note: The response is cached internally in the datapool so changes > # will not show up immediately - to list the cached items use > # openxpkicli list_data_pool_entries --arg namespace=scep.cache.getca > # You can delete by setting the empty string as value with > # set_data_pool_entry (value="" force=1) > getca: > ra: fullchain > issuer: fullchain > > > profile: > cert_profile: netic_server > cert_subject_style: enroll > > # Mapping of names to OpenXPKI profiles to be used with the > # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) > profile_map: > pc-client: netic_user > > # HMAC based authentication > hmac: Netic! > > challenge: > value: Netic! > > eligible: > initial: > value@: connector:scep.generic.connector.initial > args: '[% context.cert_subject_parts.CN.0 %]' > expect: > - Build > - New > > renewal: > value: 1 > > onbehalf: > value: 1 > > > connector: > initial: > class: Connector::Proxy::YAML > # this file must have a key/value list with the key being > # the subject and the value being a true value > # e.g. "pc1234.example.org: 1" > LOCATION: /etc/openxpki/cmdb.yaml > > scep.log: > 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with GetCACaps > [pid=81] > 2021/01/29 12:34:50 DEB Response send [pid=81] > 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with > PKIOperation [pid=81] > 2021/01/29 12:34:50 ERR SCEP response is empty [pid=81] > > catch-all.log: > 2021/01/29 13:35:17 openxpki.application.INFO LibSCEP PKIOperation; > message type: PKCSReq [pid=57|sid=PYVL] > 2021/01/29 13:35:17 openxpki.application.INFO SCEP incoming request, id > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > 2021/01/29 13:35:17 openxpki.system.ERROR > I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; > __DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ => > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > 2021/01/29 13:35:17 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': > I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; > __DPSTATE__ => creating, __SERVER__ => generic, __TRANSACTION_ID__ => > 60107490989072451039833240777151525638461989712167481202488830552887682520023 > [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] > > Med venlig hilsen / Best regards > > *Netic A/S* > Per Abildgaard Toft > Senior Consultant > > Mail p...@netic.dk > Telefon +45 7777 0861 > Web http://netic.dk > > > > _______________________________________________ > OpenXPKI-users mailing > listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
