Ha! If I thought I could somehow blow away my current install and start fresh, while maintaining data, I would probably go that route. I might also not host on FreeBSD :)
Thanks for the suggestion - I've done some grep'ing and diff'ing and I believe I have merged all changes from the default current config.d to my realm. I also ensured anywhere SCEP is mentioned in def/workflow/* that I've brought the current code forward. I still get this error: openxpki.system.ERROR OpenSSL error: Invalid command '-print_msgtype'; type "help" for a list. I've confirmed that my /usr/local/lib/perl5/site_perl/OpenXPKI/Crypto/ is current with core/server/OpenXPKI/Crypto from the repo. I'm not a perl guy so it's hard for me to follow the code… but it feels like somehow something isn't calling the implementation of OpenSSL in core/server/OpenXPKI/Crypto/Backend On Mon, Jun 12, 2023 at 12:25 AM, Oliver Welter <m...@oliwel.de> wrote: > Hi Nick, > > it looks like you have one of the oldest OpenXPKI installations out there > .) > > No you do not need this any longer and we stopped shipping this years ago > - some history: in very ancient times we used this binary from the OpenCA > project to make all the backend work around SCEP, as this was no longer > maintained and clumsy in a lot of ways we started to move to a builtin > library "LibSCEP" to do this job. Both are now obsolete and we do ALL SCEP > releated stuff with the default openssl and pure perl code. > > I suggest you grep your config for the word "scep" and compare any > occurence against the current default config. > > Oli > On 12.06.23 04:45, Nick Dawson wrote: > > Very sorry to send so many messages - would rather give complete > information and not waste anyone's time. > > I note that the current defaults for the realm-specific crypto.yaml > specify this: > shell: /usr/bin/openca-scep > > There is no openca-scep package for freebsd (my host) and the openca-tools > don't compel under FreeBSD 13.x > > Does OpenXPKI still require openca-tools or is it all built in now? > > Logs also show this which suggests the openca-scape package is not found. > > 2023/06/11 20:39:47 openxpki.system.ERROR OpenSSL error: Invalid command > '-print_msgtype'; type "help" for a list. > [pid=74244|sid=MGl/] > 2023/06/11 20:39:47 openxpki.system.ERROR > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype > -noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out > /var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/] > 2023/06/11 20:39:47 openxpki.system.ERROR > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype > -noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out > /var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/] > 2023/06/11 20:39:47 openxpki.system.ERROR Error executing SCEP command > 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => -print_msgtype > -noout -inform DER -in /var/tmp/openxpki74244w4lBoTVW -out > /var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256 [pid=74244|sid=MGl/] > > > On Sun, Jun 11, 2023 at 5:40 PM, Nick Dawson <nd+openx...@nickdawson.net> > wrote: > > Update: > > Discovered adding this to the services section system.yaml seems to work: > > SCEP: > enabled: 1 > > Interestingly, I looked for that in default system.yaml in github and > didn't see it… > > Now I get these errors if I try any request to the scep endpoint: > > 2023/06/11 17:22:20 openxpki.system.ERROR > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7] > 2023/06/11 17:22:20 openxpki.system.FATAL Uncaught exception: > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7] > > I tried setting the algorithm to aes192 and passing that with the -E > argument in sscep and it results in: > > ^[[A2023/06/11 17:39:38 openxpki.system.ERROR > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa] > 2023/06/11 17:39:38 openxpki.system.FATAL Uncaught exception: > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa] > 2023/06/11 17:39:40 openxpki.system.ERROR > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ] > 2023/06/11 17:39:40 openxpki.system.FATAL Uncaught exception: > I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED; > __REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ] > > > On Sun, Jun 11, 2023 at 4:50 PM, Nick Dawson <nd+openx...@nickdawson.net> > wrote: > > Hey OpenXPKI experts… > I'm back on my kick of trying to get some things working with scep. > > TL;DR I get this error: openxpki.system.FATAL Uncaught exception: Can't > locate object method "new" via package "OpenXPKI::Service::SCEP" (perhaps > you forgot to load "OpenXPKI::Service::SCEP"?) at /usr/local/lib/perl5/ > site_perl/OpenXPKI/Server.pm line 451, <DATA> line 1. > > "Starting with v3.18, the default configuration uses a pure perl > implementation for the SCEP server so there is no need to install any > additional tools anymore." > > I had been using LibSCEP (not sure why) and modified my scep config to > remove LibSCEP and update it to the current format as follows: > > [global] > socket=/var/openxpki/openxpki.socket > realm=dzsec > servername=generic > iprange=0.0.0.0/0 > log_config = /usr/local/etc/openxpki/scep/log.conf > log_facility = client.scep > encryption_algorithm=aes192 > hash_algorithm=SHA256 > > > [logger] > # A loglevel of DEBUG MIGHT disclose sensitive user input data > # A loglevel of TRACE WILL dump any communication unfiltered > log_level = DEBUG > > [auth] > stack=_System > > # OpenXPKI supports mapping additional URL Parameters to the workflow > # Those must be whitelisted here for security reasons > [PKIOperation] > param = signature > > I don't have anything in system.yaml that explicitly turns off SCEP > (Am I correct that's what this section of the docs refers to?) > > "The scep functionality is included as a special service with the core > distribution and enabled by default. You can turn it off in the global > system configuration (*system.server.service*)." > > > > > _______________________________________________ > OpenXPKI-users mailing > listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
