Re: [OpenXPKI-users] Problems with EST Authentication

Robert Krahl Thu, 12 Aug 2021 05:27:59 -0700

Hi Oliver,

thanks for the quick reply!!


When entering the curl command, no new entry is shown in the workflow UI
(test account: raop).

Regarding the TLS certificates:

----------
root@3fac13af39a4:/etc/openxpki/tls/chain# ls -la
total 5
drwxrwxrwx 1 root root    0 Aug 12 08:08 .
drwxrwxrwx 1 root root    0 Aug 12 08:08 ..
lrwxr-xr-x 1 root root 1067 Aug 12 08:08 ba0583c9.0 -> dummy.crt
-rwxr-xr-x 1 root root 1172 Aug 12 08:08 dummy.crt
lrwxr-xr-x 1 root root 1067 Aug 12 08:08 ecb921c1.0 -> dummy.crt
root@3fac13af39a4:/etc/openxpki/tls/chain# openssl x509 -in dummy.crt
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            57:ef:16:f1:68:ea:88:0b:ed:6f:a1:ef:21:ea:b0:7c:b2:7f:ac:f2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Placeholder for TLS Client Auth
        Validity
            Not Before: Aug 12 08:08:57 2021 GMT
            Not After : Sep 11 08:08:57 2021 GMT
        Subject: CN = Placeholder for TLS Client Auth
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:5b:0b:b6:55:78:ef:34:b3:42:ed:91:20:8b:
                    20:a3:fd:67:1b:66:a2:27:84:56:d6:f0:46:3d:a6:
                    9a:fa:7f:67:71:b2:5d:40:2a:b7:08:7f:85:3a:db:
                    7a:ee:33:16:b7:28:d9:c8:c7:02:ae:d5:3c:00:75:
                    11:b6:9b:3c:24:44:18:0c:bf:02:b4:23:d8:d3:b5:
                    7b:87:c6:d9:96:88:47:cf:1a:a6:4f:15:53:4a:96:
                    89:8f:39:df:7d:c1:8e:c9:89:2f:38:43:88:0a:7b:
                    fc:04:7f:f0:c2:95:96:fd:a4:58:3e:5f:d8:7d:97:
                    1d:a2:cf:85:4c:60:c9:ed:a2:09:b6:ca:84:bd:6f:
                    58:9b:76:95:fd:1e:14:f3:62:7f:58:bf:8e:d0:c8:
                    4f:f3:32:5e:e1:5e:7a:04:b5:53:ae:cb:98:26:19:
                    cd:24:50:f0:5c:3b:0e:af:51:4e:6c:36:5b:67:f5:
                    5e:0f:20:1e:b2:20:7a:e7:c6:2b:24:9d:a2:94:60:
                    d9:e0:6b:4e:7f:c7:7d:f7:0d:f0:ac:eb:cc:2d:42:
                    8e:55:e1:21:e7:59:3a:26:e6:d7:f0:60:dc:80:3e:
                    55:cd:de:5f:0f:01:00:ba:ce:df:4d:5f:b0:5b:9d:
                    cd:09:d9:6f:dc:70:69:8e:8a:2c:04:95:7b:10:85:
                    1a:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                11:8F:14:D6:03:71:0F:1D:E6:BC:4E:91:39:B3:63:61:BB:75:DA:BA
            X509v3 Authority Key Identifier:

keyid:11:8F:14:D6:03:71:0F:1D:E6:BC:4E:91:39:B3:63:61:BB:75:DA:BA

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         ac:a7:66:81:75:1e:32:f4:13:c8:e4:0b:90:98:aa:7b:c6:84:
         d3:89:33:0f:a1:e3:48:2b:78:83:bf:52:af:7e:29:3e:0f:b5:
         a5:cd:66:42:6d:ac:78:84:2d:51:43:7f:a5:22:05:3a:ab:16:
         00:4a:fb:ee:19:26:33:08:9e:81:a4:ce:4f:72:b8:cf:3c:0a:
         1e:84:12:b2:25:e1:6e:0c:05:c2:39:80:67:ac:06:d1:22:ac:
         09:31:32:50:25:f7:69:61:f0:03:36:5a:3d:e6:98:13:07:77:
         49:64:1d:98:b8:bf:38:19:2f:9e:1c:83:57:84:8f:f0:f4:40:
         35:6a:6d:8d:4c:d6:11:fa:21:b0:89:3b:55:b6:0d:fa:15:1c:
         e7:0f:6b:2e:d5:1d:6a:67:bf:ed:c1:0e:f8:57:ad:86:d3:9c:
         cc:b2:8d:6f:2b:15:e1:80:87:80:a5:5a:cf:28:35:73:59:de:
         ce:f4:18:33:0e:6b:ae:88:f0:b7:62:5b:e1:4d:d1:f4:2e:19:
         59:1e:11:92:cb:3d:b0:e4:00:ff:bf:54:22:a8:5f:ac:fd:cb:
         6e:eb:6d:95:0f:45:eb:42:08:f3:7e:85:69:51:6a:a7:4b:c7:
         58:23:be:34:6b:d3:ef:f1:4f:55:80:fe:3f:ec:64:79:5b:e1:
         88:e6:ca:f4
----------

Regarding the Apache server:

----------
C:\Users\rkrahl\test>openssl s_client -connect localhost:8443
(...)
Acceptable client certificate CA names
CN = Placeholder for TLS Client Auth
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
----------

That should fit so far (, am I right?)

If I now set the EST log level to debug as described, the following entries
are generated after entering the mentioned curl command:

----------
root@3fac13af39a4:/var/log/openxpki# tail -f est.log
2021/08/12 08:46:15 INFO:73 EST handler initialized
2021/08/12 08:46:16 INFO:73 Disconnect client
2021/08/12 12:13:51 DEBUG:71 Config for service est loaded
2021/08/12 12:13:51 INFO:71 EST handler initialized
2021/08/12 12:13:51 DEBUG:71 Incoming request /.well-known/est/simpleenroll
2021/08/12 12:13:51 DEBUG:71 Autodetect config file for service est:
default.conf
2021/08/12 12:13:51 DEBUG:71 calling context is https
2021/08/12 12:13:51 DEBUG:71 EST unauthenticated (no cert)
2021/08/12 12:13:51 DEBUG:71 Autodetect config file for service est:
default.conf
2021/08/12 12:13:51 DEBUG:71 $VAR1 = {
          'workflow' => 'certificate_enroll',
          'pickup_attribute' => 'transaction_id',
          'pickup' => 'pkcs10'
        };
2021/08/12 12:13:51 DEBUG:71 Pickup via attribute with transaction_id =>
e0fff73e7ddf65f94c239e7f1b8c0ecd707fdc38
2021/08/12 12:13:51 DEBUG:71 Initialize client
2021/08/12 12:13:51 DEBUG:71 Started volatile session with id:
LOtvQJ2OTdS0oRYR6pBaiA==
2021/08/12 12:13:51 DEBUG:71 Selecting auth stack _System
2021/08/12 12:13:51 DEBUG:71 Pickup 767 for
e0fff73e7ddf65f94c239e7f1b8c0ecd707fdc38
2021/08/12 12:13:51 DEBUG:71 request for workflow info on 767
2021/08/12 12:13:51 INFO:71 Disconnect client
----------

I'm a little lost with the problem...
I thank you in advance for any given help! :)

Best regards/ Liebe Grüße
rkrahl

Am Di., 10. Aug. 2021 um 06:40 Uhr schrieb Oliver Welter <m...@oliwel.de>:

> Hi Robert,
>
> can you please look into the workflow via the UI and check if you can see
> the "signer certificate" in the workflow?
> If not, check if the Issuing CA you used is in /etc/openxpki/tls/chain/
> and the symlink with the hash value exists for ii, to check if apache is
> setup properly run
>
> openssl s_client -connect localhost:8443
>
> and look for the line "Acceptable client certificate CA names", the
> issuing ca of your client certificate should be listed here.
>
> The logline with the Anonymous login is ok, the connection to the server
> from the EST process is done with the anonymous System stack, the
> authentication certificate is passed in as a parameter. If this all does
> not help, raise the log level to debug in "est/log.conf" (restart apache)
> and check the logfile for what is coming into the system.
>
> Oliver
>
> Am 09.08.21 um 15:28 schrieb Robert Krahl:
>
> Hello everyone,
>
> I am currently trying my best with Openxpki.
> More precisely, I want to use EST to automatically issue or renew
> certificates.
> Regarding the deployment, I have made use of the docker resource and the
> shell script "sampleconfig.sh". So far so good.
> I have made some adjustments to the file "est/default.yaml".
> I have modified the following:
>
>       allow_anon_enroll: 0
>       approval_points: 0
>
> This should allow only authenticated EST queries to get through and then
> be processed automatically.
>
> Now I have created a keypair using OpenSSL:
>
>      > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=tls cert"
> -keyout tls.key -out tls.csr
>
> I then used the generated "tls.csr" and the Web-GUI to create a
> certificate ("tls.crt") in PEM format (Certificate Profile: TLS Client;
> Application Name: pkiclient).
> Now I have created another keypair:
>
>      > openssl req -new -newkey rsa:2048 -nodes -subj "/CN=test cert"
> -keyout test.key -outform der -out - | base64 > test.pem
>
> The next thing I'm trying to do is make an authenticated EST query using
> Curl and the artifacts I've created:
>
>      > curl -v -k -H "Content-Type: application/pkcs10" --data @test.pem
> --key tls.key --cert tls.crt
> https://localhost:8443/.well-known/est/simpleenroll -o device.b64
>
> My problem is that the file "device.b64" does not contain the certificate,
> but:
>
>      Request was rejected:
> I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_AUTHENTICATED
>
> I don't know if it helps, but in "var/log/openxpki/openxpki.log" the
> following entry occurs after the Curl command:
>
>      2021/08/09 13:09:58 INFO Login successful (user: Anonymous, role:
> System) [pid=711|sid=IKeI]
>
> There is something I seem to be doing wrong or overlooking regarding the
> authentication.... I am very grateful for any help!
>
> Best regards/ Liebe Grüße
> rkrahl
>
>
> _______________________________________________
> OpenXPKI-users mailing 
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment -  close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Problems with EST Authentication

Reply via email to