Hi Nick,
it looks like you have one of the oldest OpenXPKI installations out there .)
No you do not need this any longer and we stopped shipping this years
ago - some history: in very ancient times we used this binary from the
OpenCA project to make all the backend work around SCEP, as this was no
longer maintained and clumsy in a lot of ways we started to move to a
builtin library "LibSCEP" to do this job. Both are now obsolete and we
do ALL SCEP releated stuff with the default openssl and pure perl code.
I suggest you grep your config for the word "scep" and compare any
occurence against the current default config.
Oli
On 12.06.23 04:45, Nick Dawson wrote:
Very sorry to send so many messages - would rather give complete
information and not waste anyone's time.
I note that the current defaults for the realm-specific crypto.yaml
specify this:
shell: /usr/bin/openca-scep
There is no openca-scep package for freebsd (my host) and the
openca-tools don't compel under FreeBSD 13.x
Does OpenXPKI still require openca-tools or is it all built in now?
Logs also show this which suggests the openca-scape package is not found.
2023/06/11 20:39:47 openxpki.system.ERROR OpenSSL error: Invalid
command '-print_msgtype'; type "help" for a list.
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR Error executing SCEP command
'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype
-noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
On Sun, Jun 11, 2023 at 5:40 PM, Nick Dawson
<nd+openx...@nickdawson.net> wrote:
Update:
Discovered adding this to the services section system.yaml seems
to work:
SCEP:
enabled: 1
Interestingly, I looked for that in default system.yaml in github
and didn't see it…
Now I get these errors if I try any request to the scep endpoint:
2023/06/11 17:22:20 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
2023/06/11 17:22:20 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
I tried setting the algorithm to aes192 and passing that with the
-E argument in sscep and it results in:
^[[A2023/06/11 17:39:38 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
2023/06/11 17:39:38 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
2023/06/11 17:39:40 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
2023/06/11 17:39:40 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
On Sun, Jun 11, 2023 at 4:50 PM, Nick Dawson
<nd+openx...@nickdawson.net <mailto:nd+openx...@nickdawson.net>>
wrote:
Hey OpenXPKI experts…
I'm back on my kick of trying to get some things working with
scep.
TL;DR I get this error: openxpki.system.FATAL Uncaught
exception: Can't locate object method "new" via package
"OpenXPKI::Service::SCEP" (perhaps you forgot to load
"OpenXPKI::Service::SCEP"?) at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server.pm
<http://usr/local/lib/perl5/site_perl/OpenXPKI/Server.pm> line
451, <DATA> line 1.
"Starting with v3.18, the default configuration uses a pure
perl implementation for theSCEP**server so there is no need to
install any additional tools anymore."
I had been using LibSCEP (not sure why) and modified my scep
config to remove LibSCEP and update it to the current format
as follows:
[global]
socket=/var/openxpki/openxpki.socket
realm=dzsec
servername=generic
iprange=0.0.0.0/0 <http://0.0.0.0/0>
log_config= /usr/local/etc/openxpki/scep/log.conf
log_facility= client.scep
encryption_algorithm=aes192
hash_algorithm=SHA256
[logger]
# A loglevel of DEBUG MIGHT disclose sensitive user input data
# A loglevel of TRACE WILL dump any communication unfiltered
log_level= DEBUG
[auth]
stack=_System
# OpenXPKI supports mapping additional URL Parameters to the
workflow
# Those must be whitelisted here for security reasons
[PKIOperation]
param= signature
I don't have anything in system.yaml that explicitly turns off
SCEP
(Am I correct that's what this section of the docs refers to?)
"The scep functionality is included as a special service with
the core distribution and enabled by default. You can turn it
off in the global system configuration
(|*system.server.service*|)."
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
