Hi Per, the workflow fails on the initial parameter validation and is therefore not persisted at all so you can not see it in the database.
The problem with the collapsed "FIELDS" parameter is fixed in the new release - if you want to give it a try grab a current copy of OpenXPKI::Exception and replace it on the server. As an alternative you can turn on "developer debug" for this module: > openxpkictl --debug OpenXPKI::Server::Workflow::Validator::BasicFieldType:64 restart This will write verbose error logging to the stderr.log. best regards Oliver Am 02.02.21 um 09:32 schrieb Per Abildgaard Toft: > Hi again, > > I have found the stuck workflow in the db and removed it. > > sscep enroll -u http://internal-ca/scep -k local.key -r local.csr -c > ca.crt-0 -l local.crt -t 10 -n 1 -v > > I am back of an error I have seen many times before, which is a > workflow error. > > ==> scep.log <== > 2021/02/02 07:37:23 INF Incoming request from 192.168.96.1 with > GetCACaps [pid=137] > 2021/02/02 07:37:23 DEB Response send [pid=137] > 2021/02/02 07:37:23 INF Incoming request from 192.168.96.1 with > GetCACert [pid=137] > 2021/02/02 07:37:23 DEB Response send [pid=137] > > > 2021/02/02 07:37:35 INF Incoming request from 192.168.96.1 with > GetCACaps [pid=137] > 2021/02/02 07:37:35 DEB Response send [pid=137] > 2021/02/02 07:38:02 INF Incoming request from 192.168.96.1 with > GetCACaps [pid=137] > 2021/02/02 07:38:02 DEB Response send [pid=137] > 2021/02/02 07:38:02 DEB Got PKIOperation via POST [pid=137] > 2021/02/02 07:38:02 DEB Decoded SCEP message > MIIK2gYJKoZIhvcNAQcCoIIKyzCCCscCAQExDjAMBggqhkiG9w0CBQUAMIIFtQYJKoZIhvcNAQcB > oIIFpgSCBaIwggWeBgkqhkiG9w0BBwOgggWPMIIFiwIBADGCAm4wggJqAgEAMFIwOjELMAkGA1UE > BhMCREsxDjAMBgNVBAoMBU5ldGljMRswGQYDVQQDDBJOZXRpYyBJc3N1aW5nIENBIDECFCCSBv0t > VmOdGR3VEJIlZf9RO6DKMA0GCSqGSIb3DQEBAQUABIICAF6Uc86LQrDB3sSRxGfXKDYIRayNQ9HE > 9mFiN9Pg2kPUwpiK+Prin9Gkhm5KpqZ0/sJDEjkKUfRrSc4bUwJLvyWWFvF5j4NynffFyaDi9MuW > C1NL3/iL1ubZr7LN3DztbKBRkLkBefqlyrKVF9dUy2gzlumf7loj+LjHexo1n75sTeHalbjUVbJy > 4q79XyH9GQrD1fX2+AU3c2j51oerps/lXizptVFFvPvHFWpr3C8hN2wq2Uo4l9ZCW+csrz6LGB+Z > 56EvXm45hWV9OltJxnd90hioMvxJUWevBPb+KOf1F+XeFz91M0stNWG6efbQdheZmbKwnK1kkOCm > Xs5Dd4w+P3Xv2vc10it1cRakFFlTSJ8xQJzF/s88uY2Ly1G608QGJsSmY2blOS7yDD6mSVzWOapV > LHV6OiaYYeC6kU6HVbOkEKZQD8vFL5rGpo9W/cv1DelW8iu9yXyOj4NaJp1hhp7RUpYWC+OtCREh > DEeqY864uKnQeI6mLAjJ8kCVu0LWDTW1ECqnChluHiJHQ445QPc3ssw+4kMv4UsIy3ueQxwYI4gg > xUSZH1xlgki0Qci8fBqGj2ns45RUdY54YuO+fqyu5b5prtFrIM7HRQwv4G/Cn/s3YZ4RoCkTIiJP > KehRiGi6vmKyZ02fFXdAk3CxQC/H/4J8qCkySRGgQcxbMIIDEgYJKoZIhvcNAQcBMBEGBSsOAwIH > BAjEFcTsAQyamICCAvAKcSSrcCCecmNATQUiiP4SuDG3hVdlLq7nv5WqPDSynpCbG0zqz3f7Sm4y > fE5lEuATpKRqachqO/j3W6qao22wVAzN89UALxm4/qeNOfLZ8JmdXdSAtXWoJiEe+JTiKW8On95U > Qa37MGpCnoKaXfDx72QvOYqsC57rBtKbYsN87qrBBfMY2lp4/5XsjtnbTT8pmwjTQ5mzz1VqYAUS > hU2Ajn0ErOb5g/JNzdwBNfA9z+vkGmBOWXQ/uUJd0G+m2k0Bwx4q2uVFRsJuu2R6Sf8klIrh9q+I > GiemXgfZZyPHhybcSrWkd9uv1TSVTUQ9f4oX3hyk2lMGgPEmiGQujVg0bN5Ce4Q2WEKEOSNs6j8Y > QM+FD62WG5zOc5RD8LcHaWMr5mMw6wLbDPNFgexlNeC5NIeEEO76mHkw6RGCFuvg77TM1Bnr1E6b > yCMElP04hjNO+eKPkKrIqKSCsDDNt6YgyUX8TcfLLft9VTD7m6zd0kkc6fbvm90LugFTeKMQDa5b > Df4py1n52KonZlu2Shb4m50NxJSertglI6xV8xJadlKlAqm3h22o9q2M+qQTemdRE8o/xY9gkbhB > 88UYHROj3QH5Ho7PiSeU7jnlFUdFaXxpqif3QllCUqJKyj3XdwFdWgCa8P2eHogURlDXetIUp0Iw > D6ik8o6fAEFFif1qUgPIsr9PemM3aQB7C0GTY6aIKzP0tPhiK2oczCURZ3/nKG6dNdDJbUUw7dlH > xHHVqejVh3XYLJjp5cS3C+vVTeLPxAxPH1cQ9TsXwIRn3Xx+iKkskkAJC9VXCiCuVUU+xHuJGADG > i30Cz3PvQZP32tSW25LNDy7JalJTHJdZrZ0yOHNTeqn/ofgJnSRd+sCwogCkqAqrZdZ9/WswhYv9 > Zuz9BCUojEixbDlFnNFz8eaFSPrpuvZl4X6nAQwTFAuwZw4iZePo9ZXsl3C31lMlTlZSN2K/e8+/ > E6LGBMMflkh+1gsww7PUI5DbOW5mzfFGRqCCAsowggLGMIIBrqADAgECAiAyQzQzQUJDMjE4MjBC > QjQ3MzVGMTVGMDA3NkNEMUI5ADANBgkqhkiG9w0BAQQFADAXMRUwEwYKCZImiZPyLGQBGRYFTmV0 > aWMwHhcNMjEwMjAyMDczODAyWhcNMjEwMjA4MDkzODAyWjAXMRUwEwYKCZImiZPyLGQBGRYFTmV0 > aWMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5AIGwxG9kG2Dzgi/+P0C8lYe6ic7K > l0QcA3hONi/OPGPyAnFJViLVtMaHrEBTCDVpAKzYEKoBo+WDtXxjZfhBPRPucaB5dxpBII6YAcTx > pi1K1D5hS1v0mToVdPQ8tmXRlQ6eScJ455TOScVrSsi62GyZclOpyn7Wmgp80ZDbstvZrkuKkQAS > 5GZLjkjwbfBUrHlIdjg3tNniancyVjl18oPjsvYR4dqj1zRQnb6G3EFGvVKtf66oH54a9TUkRKhj > PRkyV8v56soUtAI7XdFOL/TTXQ10/Xc9AiGER55leQEPExgcxAn8xcTbMDsi46zFXUaOCaFl5Idf > bn8zyIbhAgMBAAEwDQYJKoZIhvcNAQEEBQADggEBAFkCMqs1uBcCTTyZJ2vpL9vagA7ztVq6hMGy > 1LgdZO7i0DbCh+ae/NLUbGKKALtifFOtZee4JXrsD9wfm/EHY0mSOGYyQn6TWXXjesufXZktn1ae > reNKnzCWnaCyREF+JZdUkvMzeT6h/RGkUv4vxLv5Somnu9g06mCSG8FU6wWA9Deulj7pjI27chhx > ms9RoODew7/lM1KLPZ6YA9joGOjCDtkBqZDoKlDf2VgHOn8zVkuH9usgpxtgTfqGcml1sMC2WTYb > u3lub4j/yS+hI5Q2yhfMJ3RLnCfRwoXUJZsVPGAmvfR8YFh0+FhgAdeYe2tdT7fUqW++qTTctO9N > 0cQxggIpMIICJQIBATA7MBcxFTATBgoJkiaJk/IsZAEZFgVOZXRpYwIgMkM0M0FCQzIxODIwQkI0 > NzM1RjE1RjAwNzZDRDFCOQAwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkCMQQTAjE5MBgG > CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIwMjA3MzgwMlowHwYJ > KoZIhvcNAQkEMRIEECzAlKpDVeOQpFjZYlKsIUIwIAYKYIZIAYb4RQEJBTESBBC3jX3Ol+UA+LM9 > ellaQDGhMDAGCmCGSAGG+EUBCQcxIhMgMkM0M0FCQzIxODIwQkI0NzM1RjE1RjAwNzZDRDFCOTcw > DQYJKoZIhvcNAQEBBQAEggEAAwNSAdp56Cuuh/NznJOSfgsOPj6s1MW9Q2FQxIYtFAdcdAQy5Cfq > 4RjzJMeG1y9zui8vrqlFghlWZ7keFI+oMq0pB881lq+hgKPKQXUt52xDWnMp02NP5JRHSmUwxjsF > PuI7zWW8j76vJt1sFXbkKNYEaxi0gMH2CuvB2pyH+BXMd3G0fP8xolRwJoMd2hMKZZUkNpgUUo3B > 1WQ7wDT3jgaHL8GcIYNmc/rATMrnbjEzn1RhNshUPwiPYWIBQObt1Qs4R+QMhJqjxxSv7BgVBzW0 > gfJGO7HVmPA3+C0VU6ateLOZ/1kr/dm+CdmBk+1MKlkey/H6S21F4am86GL7gA== > [pid=137] > 2021/02/02 07:38:02 INF Incoming request from 192.168.96.1 with > PKIOperation [pid=137] > > ==> catchall.log <== > 2021/02/02 08:38:03 openxpki.application.INFO > <http://openxpki.application.INFO> LibSCEP PKIOperation; message type: > PKCSReq [pid=38|sid=raGB] > 2021/02/02 08:38:03 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP incoming request, id > 2C43ABC21820BB4735F15F0076CD1B97 > [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > 2021/02/02 08:38:03 openxpki.application.INFO > <http://openxpki.application.INFO> SCEP try to start new workflow for > 2C43ABC21820BB4735F15F0076CD1B97 > [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> openxpki.log <== > 2021/02/02 08:38:03 ERROR > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> catchall.log <== > 2021/02/02 08:38:03 openxpki.system.ERROR > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> openxpki.log <== > 2021/02/02 08:38:03 ERROR Error executing workflow activity > 'enroll_initialize' on workflow id 7935 (type certificate_enroll): > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> catchall.log <== > 2021/02/02 08:38:03 openxpki.workflow.ERROR Error executing workflow > activity 'enroll_initialize' on workflow id 7935 (type > certificate_enroll): > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|wftype=certificate_enroll|wfid=7935|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> openxpki.log <== > 2021/02/02 08:38:03 ERROR Error executing SCEP command 'PKIOperation': > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> catchall.log <== > 2021/02/02 08:38:03 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': > I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATION_FAILED_ON_EXECUTE; __ACTION__ > => enroll_initialize, __ERROR__ => > I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID, __FIELDS__ => > Array(HASH(0x556c41083b50)) > [pid=38|sid=raGB|sceptid=2C43ABC21820BB4735F15F0076CD1B97] > > ==> scep.log <== > 2021/02/02 07:38:03 ERR SCEP response is empty [pid=137] > > > > To my understanding, its an error spawning the workflow. > Error executing workflow activity 'enroll_initialize' on workflow id > 7935 (type certificate_enroll): > I can't find the workflow in the GUI or in the db. > > The scep config is default and the config points at default tls_server > profile > > Is it possible to enable debugging so I can get an idea of why the > workflow fails? > > Med venlig hilsen / Best regards > > *Netic A/S* > Per Abildgaard Toft > Senior Consultant > > mail...@netic.dk <mailto:p...@netic.dk> > Telefon+45 7777 0861 > Webhttp://netic.dk <http://netic.dk/> > > > > On Mon, Feb 1, 2021 at 7:19 PM Oliver Welter <m...@oliwel.de > <mailto:m...@oliwel.de>> wrote: > > Hi, > > this means that a second request with the same CSR hits the server > before the first one has written the needed artefacts for a > "pickup" to the database - or - that the first workflow crashed > while writing to the database. Check your workflow logs for > problems with the workflow. > > Oliver > > Am 29.01.21 um 13:39 schrieb Per Abildgaard Toft: >> Hi, >> >> After digging for days, i have found out that SCEP does not >> support EC keys, and changing the cert to a RSA based helped >> allot. However, not I am stuck at a workflow problem and I dont >> have a clue where to start. >> >> Could someone point me in the right direction? >> >> >> root@internal-ca02:/etc/openxpki/scep# cat default.conf >> [global] >> log_config = /etc/openxpki/scep/log.conf >> log_facility = client.scep >> >> service=LibSCEP >> socket=/var/openxpki/openxpki.socket >> realm=netic >> iprange=0.0.0.0/0 <http://0.0.0.0/0> >> servername=generic >> encryption_algorithm=3DES >> hash_algorithm=SHA256 >> >> root@internal-ca02:/etc/openxpki/config.d/realm/netic/scep# >> <mailto:root@internal-ca02:/etc/openxpki/config.d/realm/netic/scep#> >> cat generic.yaml >> # By default, all scep endpoints wll use the default token defined >> # by the scep token group, if you pass a name here, it is considered >> # a group name from the alias table >> #token: scep-altra >> >> # A renewal request is only accpeted if the used certificate will >> # expire within this period of time. >> renewal_period: 000060 >> >> # If the request was a replacement, optionally revoke the replaced >> # certificate after a grace period >> revoke_on_replace: >> reason_code: keyCompromise >> delay_revocation_time: +000014 >> >> >> workflow: >> type: certificate_enroll >> param: >> # key: name in workflow context, value: parameter from >> scep wrapper >> # server and interface are always set, the mapping below is >> # the default set that is used when no map is given >> transaction_id: transaction_id >> signer_cert: signer_cert >> pkcs10: pkcs10 >> _url_params: url_params >> #_pkcs7: pkcs7 >> >> authorized_signer: >> rule1: >> # Full DN >> subject: CN=.+:pkiclient,.* >> # rule2: >> # Full DN >> # profile: netic_server >> # realm: netic >> # subject: CN=my.scep.enroller.com:generic,.* >> >> policy: >> # Authentication Options >> # Initial requests need ONE authentication. >> # Activate Challenge Password and/or HMAC by setting the >> appropriate >> # options below. >> >> # if set requests can be authenticated by an operator >> allow_man_authen: 1 >> >> # if set, no authentication is required at all and >> hmac/challenge is >> # not evaluated even if it is set/present in the request! >> allow_anon_enroll: 1 >> >> # Approval >> # If not autoapproved, allow opeerator to add approval by hand >> allow_man_approv: 1 >> >> # if the eligibiliyt check failed the first time >> # show a button to run a recheck (Workflow goes to PENDING) >> allow_eligibility_recheck: 1 >> >> # Approval points requirede (eligibity and operator count as >> one point each) >> # if you set this to "0", all authenticated requests are >> auto-approved! >> approval_points: 1 >> >> # The number of active certs with the same subject that are >> allowed >> # to exist at the same time, deducted by one if a renewal is seen >> # set to 0 if you dont want to check for duplicates at all >> max_active_certs: 1 >> >> # option will be removed >> # allow_expired_signer: 0 >> >> # If an initial enrollment is seen >> # all existing certificates with the same subject are revoked >> auto_revoke_existing_certs: 1 >> >> # allows a "renewal" outside the renewal window, the notafter >> date >> # is aligned to the old certificate. Set revoke_on_replace option >> # to revoke the replaced certificate. >> # This substitutes the "replace_window" from the OpenXPKI v1 >> config >> allow_replace: 1 >> >> response: >> # The scep standard is a bit unclear if the root should be in >> the chain >> # or not. We consider it a security risk (trust should be >> always set >> # by hand) but as most clients seem to expect it, we include >> the root >> # by default. >> # The getca response contains the certificate of the SCEP >> server itself >> # and of the current active issuer (which can but need not to >> be the same!) >> # You can define weather to have only the certificate itself >> (endentity), >> # the chain without the root (chain) or the chain including >> the root >> # (fullchain). >> # Note: The response is cached internally in the datapool so >> changes >> # will not show up immediately - to list the cached items use >> # openxpkicli list_data_pool_entries --arg >> namespace=scep.cache.getca >> # You can delete by setting the empty string as value with >> # set_data_pool_entry (value="" force=1) >> getca: >> ra: fullchain >> issuer: fullchain >> >> >> profile: >> cert_profile: netic_server >> cert_subject_style: enroll >> >> # Mapping of names to OpenXPKI profiles to be used with the >> # Microsoft Certificate Template Name Ext. (1.3.6.1.4.1.311.20.2) >> profile_map: >> pc-client: netic_user >> >> # HMAC based authentication >> hmac: Netic! >> >> challenge: >> value: Netic! >> >> eligible: >> initial: >> value@: connector:scep.generic.connector.initial >> args: '[% context.cert_subject_parts.CN.0 %]' >> expect: >> - Build >> - New >> >> renewal: >> value: 1 >> >> onbehalf: >> value: 1 >> >> >> connector: >> initial: >> class: Connector::Proxy::YAML >> # this file must have a key/value list with the key being >> # the subject and the value being a true value >> # e.g. "pc1234.example.org <http://pc1234.example.org>: 1" >> LOCATION: /etc/openxpki/cmdb.yaml >> >> scep.log: >> 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with >> GetCACaps [pid=81] >> 2021/01/29 12:34:50 DEB Response send [pid=81] >> 2021/01/29 12:34:50 INF Incoming request from 192.168.96.1 with >> PKIOperation [pid=81] >> 2021/01/29 12:34:50 ERR SCEP response is empty [pid=81] >> >> catch-all.log: >> 2021/01/29 13:35:17 openxpki.application.INFO >> <http://openxpki.application.INFO> LibSCEP PKIOperation; message >> type: PKCSReq [pid=57|sid=PYVL] >> 2021/01/29 13:35:17 openxpki.application.INFO >> <http://openxpki.application.INFO> SCEP incoming request, id >> >> 60107490989072451039833240777151525638461989712167481202488830552887682520023 >> >> [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] >> 2021/01/29 13:35:17 openxpki.system.ERROR >> >> I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; >> __DPSTATE__ => creating, __SERVER__ => generic, >> __TRANSACTION_ID__ => >> >> 60107490989072451039833240777151525638461989712167481202488830552887682520023 >> >> [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] >> 2021/01/29 13:35:17 openxpki.system.ERROR Error executing SCEP >> command 'PKIOperation': >> >> I18N_OPENXPKI_SERVICE_LIBSCEP_COMMAND_PKIOPERATION_PARALLEL_REQUESTS_DETECTED; >> __DPSTATE__ => creating, __SERVER__ => generic, >> __TRANSACTION_ID__ => >> >> 60107490989072451039833240777151525638461989712167481202488830552887682520023 >> >> [pid=57|sid=PYVL|sceptid=60107490989072451039833240777151525638461989712167481202488830552887682520023] >> >> Med venlig hilsen / Best regards >> >> *Netic A/S* >> Per Abildgaard Toft >> Senior Consultant >> >> mail...@netic.dk <mailto:p...@netic.dk> >> Telefon+45 7777 0861 >> Webhttp://netic.dk <http://netic.dk/> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> <mailto:OpenXPKI-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > <mailto:OpenXPKI-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
