My openxpki.conf under apache looks like this:
########################################
AddHandler fcgid-script .fcgi
# Note: Those settings are part of the general server configuration and
# might be defined somewhere else overwriting the settings made here!
<IfModule mod_ssl.c>
# Disable old TLS versions
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Enforce cipher suite settings that are consdiered to be good
# Leaves DHE based key exchanges with AES and SHA256+ encryption
(+POLY1305/CHACHA)
# You might need to relax this if you need to talk with older clients or
resource limited IoT devices - YMMV
SSLCipherSuite
HIGH:!NULL:+AES:!CAMELLIA:!SEED:!ARIA:!IDEA:!DES:!3DES:!RC2:!RC4:!PSK:!SHA:!MD5:!RSA:!AESCCM:!DSS:!ADH
</IfModule>
# Some people think it is a risk to expose information about the server
# This settings reduce the information discolsure to the bare minimum
# You should also remove any unused modules from the server!
TraceEnable Off
ServerSignature Off
ServerTokens Prod
# SCEP + CRL & CA Download
<VirtualHost *:80>
ServerAlias *
DocumentRoot /var/www/
# Make SCEP available under /scep
ScriptAlias /scep /usr/lib/cgi-bin/scepv3.fcgi
<IfVersion >= 2.4.10>
RequestHeader setifempty Content-Type application/pkcs7
"expr=%{REQUEST_METHOD} == 'POST'"
</IfVersion>
# Prevent apache from adding a charset header for SCEP responses
# some clients do not handle this properly :(
<Location "/scep">
AddDefaultCharset off
</Location>
# Activate this to use the new "config from socket" feature -
experimental!
# FcgidInitialEnv OPENXPKI_SCEP_CLIENT_CONF_SOCKET
/var/openxpki/openxpki.socket
# builtin healthcheck
ScriptAlias /healthcheck /usr/lib/cgi-bin/healthcheck.fcgi
# RPC
# uncomment if you want RPC over plain HTTP
ScriptAlias /rpc /usr/lib/cgi-bin/rpc.fcgi
# Redirect anything else to HTTPS
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !scep
RewriteCond %{REQUEST_FILENAME} !rpc
RewriteCond %{REQUEST_FILENAME} !download
RewriteCond %{REQUEST_FILENAME} !healthcheck
RewriteCond %{REQUEST_FILENAME} !.well-known
RewriteRule ^.*$ https://%{HTTP_HOST}$1 [L,R=301,NC]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAlias *
DocumentRoot /var/www/
SSLEngine On
SSLCertificateFile /etc/openxpki/tls/endentity/openxpki.crt
SSLCertificateChainFile /etc/openxpki/tls/endentity/openxpki.crt
SSLCertificateKeyFile /etc/openxpki/tls/private/openxpki.pem
SSLCACertificatePath /etc/openxpki/tls/chain
SSLVerifyClient optional_no_ca
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# Activate this to use the new "config from socket" feature -
experimental!
# FcgidInitialEnv OPENXPKI_RPC_CLIENT_CONF_SOCKET
/var/openxpki/openxpki.socket
# FcgidInitialEnv OPENXPKI_EST_CLIENT_CONF_SOCKET
/var/openxpki/openxpki.socket
# RPC
ScriptAlias /rpc /usr/lib/cgi-bin/rpc.fcgi
# builtin healthcheck
ScriptAlias /healthcheck /usr/lib/cgi-bin/healthcheck.fcgi
# certEP (3rd Party Plugin)
ScriptAlias /certep /usr/lib/cgi-bin/certep.fcgi
# EST (RFC7030)
ScriptAlias /.well-known/est /usr/lib/cgi-bin/est.fcgi
# SimpleCMC (RFC5272 - EE only)
ScriptAlias /cmc /usr/lib/cgi-bin/cmc.fcgi
ScriptAliasMatch ^/(([a-z0-9-]+)/)?cgi-bin/webui.fcgi
/usr/lib/cgi-bin/webui.fcgi
RewriteEngine On
# Redirect empty path to generic openxpki url - turn off if you have a
start page
RewriteRule ^/$ https://%{HTTP_HOST}/openxpki/ [L,R=301,NC]
# Append a trailing slash
RewriteRule ^/([a-z0-9-]+)$ https://%{HTTP_HOST}/$1/ [L,R=301,NC]
# Map non existing direcotries to openxpki application starter
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteRule ^/([a-z0-9-]+)/$ /var/www/openxpki/index.html [L]
# No access to index page in openxpki subdir
# RewriteRule ^openxpki/?$ https://%{HTTP_HOST}/ [L,R=301,NC]
# Map all other resources to the openxpki subdir
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME}
!(cgi-bin|rpc|cmc|certep|download|healthcheck)
RewriteRule ^/([a-z0-9-]+)/(.*) /var/www/openxpki/$2 [L,NC]
# Set security headers
<IfModule mod_headers.c>
Header set Strict-Transport-Security max-age=31536000
Header set X-Frame-Options deny
Header set X-XSS-Protection "1; mode=block;"
</IfModule>
#<Location "/rpc">
# SSLVerifyClient optional
# SSLOptions +StdEnvVars +ExportCertData
#</Location>
</VirtualHost>
</IfModule>
<Directory "/usr/lib/cgi-bin/">
AllowOverride None
Options +ExecCGI
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory /var/www/>
# Options FollowSymLinks
# AllowOverride FileInfo
Require all granted
</Directory>
########################################
Is there anything missing or something that looks unusual? I've seen in the
tutorials that they use port 8080, but if I try to query using that port, I
just get "curl: (7) Failed to connect to localhost port 8080: Connection
refused", as it seems like there's nothing listening.
-Simon
ti 9. elok. 2022 klo 9.24 Oliver Welter ([email protected]) kirjoitti:
> Hi Simon,
>
> RPC is usually not active on Port 80 so I assume you have messed with the
> apache configuration but to be honest - I have no idea what is wrong here.
>
> Oliver
> On 09.08.22 06:30, Simon Borg wrote:
>
> Can confirm that apache2 is running:
>
> root 1563 0.0 0.2 12676 9700 ? Ss Aug08 0:02
> /usr/sbin/apache2 -k start
> www-data 12294 0.0 0.1 12164 3708 ? S 00:00 0:00
> /usr/sbin/apache2 -k start
> www-data 12295 0.0 0.1 758560 6820 ? Sl 00:00 0:00
> /usr/sbin/apache2 -k start
> www-data 12296 0.0 0.1 758560 6820 ? Sl 00:00 0:00
> /usr/sbin/apache2 -k start
>
> as well as openxpki processes:
>
> openxpki 4401 0.0 4.4 179220 156932 ? S Aug08 0:25 openxpkid
> (main) watchdog (idle)
> openxpki 4402 0.0 4.4 179220 157000 ? S Aug08 0:02 openxpkid
> (main) server
>
> ma 8. elok. 2022 klo 21.16 Oliver Welter ([email protected]) kirjoitti:
>
>> The error message is very clear, the server is not running but I was
>> wondering that you say the WebUI works but the RPC does not....
>>
>> check if the server is running.
>>
>>
>> Am 08.08.22 um 18:32 schrieb Simon Borg:
>> > I do have log.conf under rpc/. All user groups have read permissions to
>> > the file. This is what the file looks like:
>> >
>> > #########################################
>> > # Log4perl Config for the REST Handler
>> > # Note - the handler runs with the privileges of the webserver user
>> > # ensure appropriate rights for the used log files!
>> >
>> > log4perl.category.client.rpc = INFO, Logfile
>> >
>> > log4perl.appender.Logfile = Log::Log4perl::Appender::File
>> > log4perl.appender.Logfile.recreate = 1
>> > log4perl.appender.Logfile.recreate_check_interval = 120
>> > log4perl.appender.Logfile.filename = /var/log/openxpki/rpc.log
>> > log4perl.appender.Logfile.layout =
>> Log::Log4perl::Layout::PatternLayout
>> > log4perl.appender.Logfile.layout.ConversionPattern = %d %p{3} %m
>> [pid=%P]%n
>> > log4perl.appender.Logfile.syswrite = 1
>> > #########################################
>> >
>> > I did get messages earlier to rpc.log, so I believe that part should
>> > work. Some entries I got earlier:
>> >
>> > 2022/08/08 10:47:39 WAR Unable to detect script name - please check the
>> > docs [pid=1186]
>> > 2022/08/08 10:47:39 ERR Unable to query OpenAPI specification from
>> > OpenXPKI server:
>> >
>> I18N_OPENXPKI_CLIENT_SEND_RECEIVE_SERVICE_MSG_ERROR_DURING_SEND_SERVICE_MSG;
>>
>> > __EVAL_ERROR__ => I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED;
>> __ERROR__
>> > => No such file or directory, __SOCKETFILE__ =>
>> > /var/openxpki/openxpki.socket [pid=1186]
>> > 2022/08/08 10:47:39 ERR 50004 - Unable to query OpenAPI specification
>> > from OpenXPKI server [pid=1186]
>> >
>> > However, sending queries to RPC now does not write anything to the file.
>> >
>> > ma 8. elok. 2022 klo 18.00 Oliver Welter ([email protected]
>> > <mailto:[email protected]>) kirjoitti:
>> >
>> > Hi Simon,
>> >
>> > does your log config exist and is it readable by the apache process?
>> >
>> > Oliver
>> >
>> > On 08.08.22 16:12, Simon Borg wrote:
>> > > Hi,
>> > >
>> > > I have followed the quickstart guide in
>> > > https://openxpki.readthedocs.io/en/latest/quickstart.html
>> > <https://openxpki.readthedocs.io/en/latest/quickstart.html> and
>> managed
>> > > to get openxpki web UI working (used the sampleconfig script). So
>> > now
>> > > I'm running openxpki version 3.20 on Debian 10.
>> > >
>> > > My goal is to automate some stuff using the RPC, but I can't
>> make it
>> > > work even after browsing the mail archives. I for example have
>> > > /etc/openxpki/rpc/public.conf which has the following inside:
>> > >
>> > > ######################################################
>> > > [global]
>> > > log_config = /etc/openxpki/rpc/log.conf
>> > > log_facility = client.rpc
>> > > socket = /var/openxpki/openxpki.socket
>> > > realm = democa
>> > > #locale_directory: /usr/share/locale
>> > > default_language = en_US
>> > >
>> > > [auth]
>> > > stack = _System
>> > >
>> > > [input]
>> > > allow_raw_post = 1
>> > > parse_depth = 5
>> > >
>> > > [output]
>> > > use_http_status_codes=1
>> > >
>> > > [openapi]
>> > > title = Public Certificate API
>> > >
>> > > [SearchCertificate]
>> > > workflow = certificate_search
>> > > param = common_name
>> > > # append "certificate" if you want the full PEM block in the
>> result
>> > > output = cert_identifier, notbefore, notafter, status
>> > > ######################################################
>> > >
>> > > If I call for example: curl -F "method=openapi-spec"
>> > > http://localhost:80/rpc/public <http://localhost:80/rpc/public>
>> > <http://localhost:80/rpc/public <http://localhost:80/rpc/public>>
>> > >
>> > > It returns the following message:
>> > > {"error":{"code":50000,"message":"Unable to fetch configuration
>> from
>> > > server - connect failed","data":{"pid":4518}},"rpc_failure":1}
>> > >
>> > > I have tried other methods too also from enroll.conf, but they
>> > always
>> > > return the same error.
>> > >
>> > > Also nothing gets written into /var/log/openxpki/rpc.log or
>> > > catchall.log. Only apache2:s error.log gets the line [Mon Aug 08
>> > > 14:09:10.638387 2022] [fcgid:warn] [pid 1565:tid 140651006596864]
>> > > [client ::1:58404] mod_fcgid: stderr: [Mon Aug 8 14:09:10 2022]
>> > > rpc.fcgi: Client Connect Failed: Can't call method "error" on an
>> > > undefined value at /usr/lib/cgi-bin/rpc.fcgi line 108.
>> > >
>> > > At this point I'm running out of ideas to try, what should I do
>> next?
>> > >
>> > > Best,
>> > >
>> > > Simon
>> > >
>> > >
>> > > _______________________________________________
>> > > OpenXPKI-users mailing list
>> > > [email protected]
>> > <mailto:[email protected]>
>> > > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>> >
>> > --
>> > Protect your environment - close windows and adopt a penguin!
>> >
>> >
>> >
>> > _______________________________________________
>> > OpenXPKI-users mailing list
>> > [email protected]
>> > <mailto:[email protected]>
>> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> > <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
>> >
>> >
>> >
>> > _______________________________________________
>> > OpenXPKI-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> _______________________________________________
> OpenXPKI-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
