Hi Nick,
as the database schema was not changed it should work without problems
to start a new configuration using the old database.
The error indicates that you are still calling the old SCEP
implementation, AFAIR this is defined in system/crypto.yaml (might also
be the realms crypto.yaml) - check there for something like "API...SCEP"
and compare with the current config.
Oli
On 12.06.23 18:28, Nick Dawson wrote:
Ha! If I thought I could somehow blow away my current install and
start fresh, while maintaining data, I would probably go that route. I
might also not host on FreeBSD :)
Thanks for the suggestion - I've done some grep'ing and diff'ing and
I believe I have merged all changes from the default current config.d
to my realm.
I also ensured anywhere SCEP is mentioned in def/workflow/* that I've
brought the current code forward.
I still get this error: openxpki.system.ERROR OpenSSL error: Invalid
command '-print_msgtype'; type "help" for a list.
I've confirmed that my /usr/local/lib/perl5/site_perl/OpenXPKI/Crypto/
is current with core/server/OpenXPKI/Crypto from the repo.
I'm not a perl guy so it's hard for me to follow the code… but it
feels like somehow something isn't calling the implementation of
OpenSSL in core/server/OpenXPKI/Crypto/Backend
On Mon, Jun 12, 2023 at 12:25 AM, Oliver Welter <m...@oliwel.de> wrote:
Hi Nick,
it looks like you have one of the oldest OpenXPKI installations
out there .)
No you do not need this any longer and we stopped shipping this
years ago - some history: in very ancient times we used this
binary from the OpenCA project to make all the backend work around
SCEP, as this was no longer maintained and clumsy in a lot of ways
we started to move to a builtin library "LibSCEP" to do this job.
Both are now obsolete and we do ALL SCEP releated stuff with the
default openssl and pure perl code.
I suggest you grep your config for the word "scep" and compare any
occurence against the current default config.
Oli
On 12.06.23 04:45, Nick Dawson wrote:
Very sorry to send so many messages - would rather give complete
information and not waste anyone's time.
I note that the current defaults for the realm-specific
crypto.yaml specify this:
shell: /usr/bin/openca-scep
There is no openca-scep package for freebsd (my host) and the
openca-tools don't compel under FreeBSD 13.x
Does OpenXPKI still require openca-tools or is it all built in now?
Logs also show this which suggests the openca-scape package is
not found.
2023/06/11 20:39:47 openxpki.system.ERROR OpenSSL error: Invalid
command '-print_msgtype'; type "help" for a list.
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ =>
-print_msgtype -noout -inform DER -in
/var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__COMMAND__ => -print_msgtype -noout -inform DER -in
/var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
2023/06/11 20:39:47 openxpki.system.ERROR Error executing SCEP
command 'PKIOperation': I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ =>
OpenXPKI::Crypto::Tool::SCEP::Command::get_message_type,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__COMMAND__ => -print_msgtype -noout -inform DER -in
/var/tmp/openxpki74244w4lBoTVW -out
/var/tmp/openxpki74244FriC7UMn, __EXIT_STATUS__ => 256
[pid=74244|sid=MGl/]
On Sun, Jun 11, 2023 at 5:40 PM, Nick Dawson
<nd+openx...@nickdawson.net> wrote:
Update:
Discovered adding this to the services section system.yaml
seems to work:
SCEP:
enabled: 1
Interestingly, I looked for that in default system.yaml in
github and didn't see it…
Now I get these errors if I try any request to the scep
endpoint:
2023/06/11 17:22:20 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
2023/06/11 17:22:20 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => Default [pid=3516|sid=Nqz7]
I tried setting the algorithm to aes192 and passing that with
the -E argument in sscep and it results in:
^[[A2023/06/11 17:39:38 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
2023/06/11 17:39:38 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5857|sid=kgoa]
2023/06/11 17:39:40 openxpki.system.ERROR
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
2023/06/11 17:39:40 openxpki.system.FATAL Uncaught exception:
I18N_OPENXPKI_SERVICE_SCEP_INVALID_ALGORITHM_REQUESTED;
__REQUESTED_ALGORITHM__ => aes192 [pid=5864|sid=VMTZ]
On Sun, Jun 11, 2023 at 4:50 PM, Nick Dawson
<nd+openx...@nickdawson.net
<mailto:nd+openx...@nickdawson.net>> wrote:
Hey OpenXPKI experts…
I'm back on my kick of trying to get some things working
with scep.
TL;DR I get this error: openxpki.system.FATAL Uncaught
exception: Can't locate object method "new" via package
"OpenXPKI::Service::SCEP" (perhaps you forgot to load
"OpenXPKI::Service::SCEP"?) at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server.pm
<http://usr/local/lib/perl5/site_perl/OpenXPKI/Server.pm>
line 451, <DATA> line 1.
"Starting with v3.18, the default configuration uses a
pure perl implementation for theSCEP**server so there is
no need to install any additional tools anymore."
I had been using LibSCEP (not sure why) and modified my
scep config to remove LibSCEP and update it to the
current format as follows:
[global]
socket=/var/openxpki/openxpki.socket
realm=dzsec
servername=generic
iprange=0.0.0.0/0 <http://0.0.0.0/0>
log_config= /usr/local/etc/openxpki/scep/log.conf
log_facility= client.scep
encryption_algorithm=aes192
hash_algorithm=SHA256
[logger]
# A loglevel of DEBUG MIGHT disclose sensitive user input
data
# A loglevel of TRACE WILL dump any communication unfiltered
log_level= DEBUG
[auth]
stack=_System
# OpenXPKI supports mapping additional URL Parameters to
the workflow
# Those must be whitelisted here for security reasons
[PKIOperation]
param= signature
I don't have anything in system.yaml that
explicitly turns off SCEP
(Am I correct that's what this section of the docs refers
to?)
"The scep functionality is included as a special service
with the core distribution and enabled by default. You
can turn it off in the global system configuration
(|*system.server.service*|)."
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
