Very sorry to send so many messages - would rather give complete
information and not waste anyone's time.
I note that the current defaults for the realm-specific crypto.yaml
specify this:
shell: /usr/bin/openca-scep
There is no openca-scep package for freebsd (my host) and the openca-tools
don't compel under FreeBSD 13.x
Does OpenXPKI still require openca-tools or is it all built in now?
Logs also show this which suggests the openca-scape package is not found.
2023/06/11 20:39:47 openxpki.system.ERROR OpenSSL error: Invalid command
'-print_msgtype'; type "help" for a list.
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR Error executing SCEP command
'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/]
On Sun, Jun 11, 2023 at 5:40 PM, Nick Dawson <nd+openx...@nickdawson.net>
wrote:
> Update:
>
> Discovered adding this to the services section system.yaml seems to work:
>
> SCEP:
> enabled: 1
>
> Interestingly, I looked for that in default system.yaml in github and
> didn't see it…
>
> Now I get these errors if I try any request to the scep endpoint:
>
> 2023/06/11 17:22:20 openxpki.system.ERROR
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
> 2023/06/11 17:22:20 openxpki.system.FATAL Uncaught exception:
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
>
> I tried setting the algorithm to aes192 and passing that with the -E
> argument in sscep and it results in:
>
> ^[[A2023/06/11 17:39:38 openxpki.system.ERROR
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
> 2023/06/11 17:39:38 openxpki.system.FATAL Uncaught exception:
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
> 2023/06/11 17:39:40 openxpki.system.ERROR
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
> 2023/06/11 17:39:40 openxpki.system.FATAL Uncaught exception:
> I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
> __REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
>
>
> On Sun, Jun 11, 2023 at 4:50 PM, Nick Dawson <nd+openx...@nickdawson.net>
> wrote:
>
> Hey OpenXPKI experts…
> I'm back on my kick of trying to get some things working with scep.
>
> TL;DR I get this error: openxpki.system.FATAL Uncaught exception: Can't
> locate object method "new" via package "OpenXPKI::Service::SCEP" (perhaps
> you forgot to load "OpenXPKI::Service::SCEP"?) at /usr/local/lib/perl5/
> site_perl/OpenXPKI/Server.pm line 451, <DATA> line 1.
>
> "Starting with v3.18, the default configuration uses a pure perl
> implementation for the SCEP server so there is no need to install any
> additional tools anymore."
>
> I had been using LibSCEP (not sure why) and modified my scep config to
> remove LibSCEP and update it to the current format as follows:
>
> [global]
> socket=/var/openxpki/openxpki.socket
> realm=dzsec
> servername=generic
> iprange=0.0.0.0/0
> log_config = /usr/local/etc/openxpki/scep/log.conf
> log_facility = client.scep
> encryption_algorithm=aes192
> hash_algorithm=SHA256
>
>
> [logger]
> # A loglevel of DEBUG MIGHT disclose sensitive user input data
> # A loglevel of TRACE WILL dump any communication unfiltered
> log_level = DEBUG
>
> [auth]
> stack=_System
>
> # OpenXPKI supports mapping additional URL Parameters to the workflow
> # Those must be whitelisted here for security reasons
> [PKIOperation]
> param = signature
>
> I don't have anything in system.yaml that explicitly turns off SCEP
> (Am I correct that's what this section of the docs refers to?)
>
> "The scep functionality is included as a special service with the core
> distribution and enabled by default. You can turn it off in the global
> system configuration (*system.server.service*)."
>
>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
