Enabling some debug loggins shows that indeed, my system is doing enroll_set_mode_onbehalf, instead of enroll_set_mode_renewal
023/06/14 13:05:46 91903 Trusted Signer Authorization matched subrule mobility 2023/06/14 13:05:46 91903 Trusted Signer not found in trust list (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). 2023/06/14 13:05:46 91903 Condition check for exist: path est.mobility.authorized_signer, exist: yes 2023/06/14 13:05:46 91903 Condition check for exist: path est.mobility.authorized_signer, exist: yes 2023/06/14 13:05:46 91903 Execute action *enroll_set_mode_onbehalf * 2023/06/14 13:05:46 91903 Condition check for exist: path est.mobility.authorized_signer, exist: yes 2023/06/14 13:05:46 91903 Setting context request_mode to onbehalf 2023/06/14 13:05:46 91903 Execute action global_set_error_signer_not_authorized from certificate_enroll.yaml I see is_renewal_request: class: Workflow::Condition::LazyAND param: condition1: enroll_signer_subject_matches_csr_subject condition2: "!enroll_signer_key_matches_subject_key" is_onbehalf_request: class: Workflow::Condition::LazyAND param: condition1: global_has_authorized_signer_rules condition2: "!enroll_signer_subject_matches_csr_subject" condition3: "!enroll_signer_key_matches_subject_key" So "!enroll_signer_subject_matches_csr_subject" seems to fail? (Or its not evaluated at all?) I have a hard time finding that in the sources though.... Do you have some pointers? -Harm On Wed, Jun 14, 2023 at 1:02 PM Harm Verhagen <h...@symeon.nl> wrote: > > > On Thu, Jun 8, 2023 at 8:48 PM Oliver Welter <m...@oliwel.de> wrote: > >> Hi Harm, >> >> in the OpenXPKI default workflows the condition for a renewal is a FULL >> DN match so your incoming CSR must not only have the same CN but the >> complete DN. This can be configured in several ways by changing the >> comparison logic of the "subject matches" condition class, the details are >> in the perldoc of it. >> > > Ah, it needs the full DN. clear. > > However... > when I do that, I get the same result when trying renewal: > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED > > The subjects are identical now > > $ openssl req -in test.csr -noout -text |grep Subj |grep CN > Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS > enroll, CN=testme2 > > $ openssl x509 -in test_issued.crt -noout -text |grep Sub |grep CN > Subject: DC=org, DC=OpenXPKI, DC=Test Deployment client TLS > enroll, CN=testme2 > > > But > curl -H "Content-Type: application/pkcs10" --data @test.pem --key > test_issued.key --cert test_issued.crt --insecure > https://localhost:8443/.well-known/est/mobility/*simplereenroll* > gives > I18N_OPENXPKI_UI_ENROLLMENT_ERROR_SIGNER_NOT_AUTHORIZED > > > It seems that my openxpki does no 'subject matches' rule check at all, it > just checks if the signer is in an auth list. (that sounds like > an authorized_signer thing, but that's not what i'm trying here, I'm trying > renewal) > > What am I missing here? > > Logs below > > -Harm > > > ==> openxpki.log <== > 2023/06/14 10:54:20 INFO Login successful (user: Anonymous, role: System) > [pid=116|sid=yvwb|pki_realm=mobility] > ==> catchall.log <== > 2023/06/14 10:54:20 openxpki.auth.INFO Login successful (user: Anonymous, > role: System) [pid=116|sid=yvwb|pki_realm=mobility] > ==> workflows.log <== > 2023/06/14 10:54:21 83199 Rendering subject: CN=testme2,DC=Test Deployment > client TLS enroll,DC=OpenXPKI,DC=org > ==> catchall.log <== > 2023/06/14 10:54:21 openxpki.application.INFO Rendering subject: > CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org > [pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility] > ==> workflows.log <== > 2023/06/14 10:54:21 83199 Trusted Signer chain validated - trusted root is > tzw4UJlDLemD55ojDPxmAHU-4F8 > ==> catchall.log <== > 2023/06/14 10:54:21 openxpki.application.INFO Trusted Signer chain > validated - trusted root is tzw4UJlDLemD55ojDPxmAHU-4F8 > [pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility] > ==> catchall.log <== > 2023/06/14 10:54:21 openxpki.application.INFO trustrule > HASH(0x55816c4df368) > [pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility] > ==> workflows.log <== > 2023/06/14 10:54:21 83199 Trusted Signer not found in trust list > (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). > ==> catchall.log <== > 2023/06/14 10:54:21 *openxpki.application.INFO > <http://openxpki.application.INFO> Trusted Signer not found in trust list* > (CN=testme2,DC=Test Deployment client TLS enroll,DC=OpenXPKI,DC=org). > [pid=116|user=Anonymous|role=System|sid=yvwb|wftype=certificate_enroll|wfid=83199|pki_realm=mobility] > ==> est.log <== > 2023/06/14 10:54:21 INF Disconnect client [pid=113|ep=[undef]] > >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
