Well, I'm an idiot! I was trying to sign a 2 year cert but my ca-signer expires before then. Any way to delete this thread? Or just leave it for historic reference :)
Last question - I can add a new, additional ca-signer (next generation) and have it co-exist with my current one? That's the roll-over feature, right? On Mon, May 09, 2022 at 4:27 PM, Nick Dawson <[email protected]> wrote: > And, in case this provides any more insight, here's my aliases > > === functional token === > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: H7_DJuEmAEppVvzsadtfPufca1Y > NotBefore : 2020-11-08 03:52:59 > NotAfter : 2023-11-08 03:52:59 > > scep (scep): > Alias : scep-1 > Identifier: t1PGk55B7nW5GAPxh_k30viFjDQ > NotBefore : 2021-06-22 18:11:29 > NotAfter : 2023-01-08 18:11:29 > > vault (datasafe): > Alias : vault-2 > Identifier: 8ztpZtRi0-qJDN8LN9WucwqvTC8 > NotBefore : 2021-10-13 19:15:38 > NotAfter : 2022-10-13 19:15:38 > > === root ca === > current root ca: > Alias : root-1 > Identifier: 1jrExIbjvaH32Gt95NvWKczZNvA > NotBefore : 2020-11-08 03:52:48 > NotAfter : 2025-11-08 03:52:48 > > > On Mon, May 09, 2022 at 4:18 PM, Nick Dawson <[email protected]> > wrote: > > Hey friends, > I needed sign some CSRs today and ran into a problem out of the blue. All > my attempts to issue a cert result in a paused workflow. I'm hoping y'all > might have some ideas for troubleshooting (and hopefully fixing). It seems > like the system cannot find my ca-signer > > In the system status, it is all green and shows the signer cert as online. > > Here's the error in my log: > > 2022/05/09 14:09:53 openxpki.application.ERROR NICE backend error: Could > not find token alias by group; __group__ => ca-signer, __noafter__ => > 1715285393, __notbefore__ => 1652126993, > > Here's my crypto.yml > > ca-signer: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]" > #key: /usr/local/etc/openxpki/ca/dzsec/ca-one-signer-1.pem > secret: dzsecsec > > I tried to re-register the signer cert alias: > Certificate already registered as alias: > Alias : ca-signer-1 > Identifier: H7_DJuEmAEppVvzsadtfPufca1Y > NotBefore : 2020-11-08 03:52:59 > NotAfter : 2023-11-08 03:52:59 > > ERROR: certificate already exisits in group > Alias: ca-signer-1 > > Just for good measure, I tried to remove the alias: > openxpkiadm alias --realm dzsec --remove --alias ca-signer-1 > > And then re-added it successfully. I restarted mysql and OpenXPKI and I > still have the original issue. > >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
