On Thu, Jun 8, 2023 at 8:48 PM Oliver Welter <m...@oliwel.de> wrote:
> Hi Harm,
>
> in the OpenXPKI default workflows the condition for a renewal is a FULL DN
> match so your incoming CSR must not only have the same CN but the complete
> DN. This can be configured in several ways by changing the comparison logic
> of the "subject matches" condition class, the details are in the perldoc of
> it.
>
Ah, it needs the full DN. clear.
However...
when I do that, I get the same result when trying renewal:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
The subjects are identical now
$ openssl req -in test.csr -noout -text |grep Subj |grep CN
Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS enroll,
CN=testme2
$ openssl x509 -in test_issued.crt -noout -text |grep Sub |grep CN
Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS enroll,
CN=testme2
But
curl -H "Content-Type: application/pkcs10" --data @test.pem --key
test_issued.key --cert test_issued.crt --insecure
https://localhost:8443/.well-known/est/mobility/*simplereenroll*
gives
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED
It seems that my openxpki does no 'subject matches' rule check at all, it
just checks if the signer is in an auth list. (that sounds like
an authorized_signer thing, but that's not what i'm trying here, I'm trying
renewal)
What am I missing here?
Logs below
-Harm
==> openxpki.log <==
2023/06/14 10:54:20 INFO Login successful (user: Anonymous, role: System)
[pid=116|sid=yvwb|pki_realm=mobility]
==> catchall.log <==
2023/06/14 10:54:20 openxpki.auth.INFO Login successful (user: Anonymous,
role: System) [pid=116|sid=yvwb|pki_realm=mobility]
==> workflows.log <==
2023/06/14 10:54:21 83199 Rendering subject: CN=testme2,DC=Test Deployment
client TLS enroll,DC=OpenXPKI,DC=org
==> catchall.log <==
2023/06/14 10:54:21 openxpki.application.INFO Rendering subject:
CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org
[pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility]
==> workflows.log <==
2023/06/14 10:54:21 83199 Trusted Signer chain validated - trusted root is
tzw4UJlDLemD55ojDPxmAHU-4F8
==> catchall.log <==
2023/06/14 10:54:21 openxpki.application.INFO Trusted Signer chain
validated - trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8
[pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility]
==> catchall.log <==
2023/06/14 10:54:21 openxpki.application.INFO trustrule
HASH(0x55816c4df368)
[pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility]
==> workflows.log <==
2023/06/14 10:54:21 83199 Trusted Signer not found in trust list
(CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org).
==> catchall.log <==
2023/06/14 10:54:21 *openxpki.application.INFO
<http://openxpki.application.INFO> Trusted Signer not found in trust list*
(CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org).
[pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility]
==> est.log <==
2023/06/14 10:54:21 INF Disconnect client [pid=113|ep=[undef]]
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
