Re: [OpenXPKI-users] EST - invalid profile

Thu, 24 Aug 2023 22:44:27 -0700 

Hi Thomas,
invalid profile means that the NAME of the profile that the workflow tries to issue does not exist or is not in the list of the allowed endpoint profiles. 

Oliver

On 23.08.23 13:23, Thomas Gusset wrote:


Hi


I have a strange problem with EST. I try to issue certificates and 
(this is the weird part) sometimes it works and sometimes it results 
in an I18N_OPENXPKI_UI_INVALID_PROFILE error.



Yesterday during the day it worked at the beginning and then it didn't 
work anymore. In the evening I tried it again from home and it worked 
there. Then this morning it didn't work again. I always do the tests 
directly on the server on which openXPKI is installed. I use ECC keys, 
but have also tried RSA keys. Both have worked before.


The logs show

workflow.log

…


2023/08/23 13:04:35 14335 Using custom field class 
OpenXPKI::Server::Workflow::Field


2023/08/23 13:04:35 14335 Execute action global_map_url_params

2023/08/23 13:04:35 14335 Execute action enroll_set_transaction_id


2023/08/23 13:04:35 14335 Setting context transaction_id to 
cc884f27bef5d142073490e184894597234abb82


2023/08/23 13:04:35 14335 Execute action enroll_set_workflow_attributes

2023/08/23 13:04:35 14335 Execute action global_load_policy

2023/08/23 13:04:35 14335 No policy params set in LoadPolicy

2023/08/23 13:04:35 14335 Execute action global_set_profile


2023/08/23 13:04:35 14335 Calling Connector::GetValue in mode hash 
with path est|ivoc-test|profile


2023/08/23 13:04:35 14335 Execute action enroll_parse_pkcs10


2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty



2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty


2023/08/23 13:04:35 14335 Execute action global_noop


2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key 
certificateTemplateName is key_nonempty


2023/08/23 13:04:35 14335 Execute action global_set_error_invalid_profile


2023/08/23 13:04:35 14335 Set error code 
I18N_OPENXPKI_UI_INVALID_PROFILE for workflow 14335


est.log:


2023/08/23 13:04:34 DEB Parsed URI: ivoc-test => simpleenroll 
[pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB calling context is https [pid=1010|ep=[undef]]

2023/08/23 13:04:34 DEB unauthenticated (no cert) [pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB Pickup via attribute with transaction_id => 
cc884f27bef5d142073490e184894597234abb82 [pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB Initialize client [pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB Started volatile session with id: 
VeYXALjtTsO+gXyosTfWeA== [pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB Selecting auth stack _System [pid=1010|ep=[undef]]


2023/08/23 13:04:34 DEB Initialize certificate_enroll with params 
pkcs10, transaction_id, server, interface [pid=1010|ep=[undef]]



2023/08/23 13:04:35 DEB Workflow created (ID: 14335), State: FAILURE 
[pid=1010|ep=[undef]]



2023/08/23 13:04:35 DEB Status: 400 Request was rejected 
[pid=1010|ep=[undef]]


2023/08/23 13:04:35 INF Disconnect client [pid=1010|ep=[undef]]


If I take the pkcs10 certificate request from the workflow concept 
(from the Web GUI) I can enrol the certificate.


The profile is

# The name of the file equals the name of the profile

label: IvoControl device certificate

key:

    alg:

      - ec

    generate: client

    ec:

      curve_name:

        - prime256v1

        - secp256r1

style:

    00_basic_style:

        label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL

        description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC

        ui:

            subject:

                - cn

            info:

                - requestor_realname

                - requestor_email

                - requestor_affiliation

                - owner_contact

                - comment

        subject:

            dn: CN=[% CN %],DC=IvoControl Test CA,DC=IvoControl,DC=net

        metadata:

            requestor: "[% requestor_realname %]"

            email: "[% requestor_email %]"

            owner_contact: "[% owner_contact || requestor_email %]"

            entity: "[% hostname FILTER lower %]"

    enroll:

        subject:


            dn: CN=[% CN.0 %],O=Ivoclar Vivadent 
AG,L=Schaan,C=LI,DC=ivocontrol,DC=net


        metadata:

            system_id: "[% data.cust_id %]"

            server_id: "[% data.server_id %]"

            # entity: "[% CN.0.replace(':.*','') FILTER lower %]"

# Profile extensions - set 0/1 as needed

# Also see sections defined in default.yaml

extensions:

    key_usage:

        critical: 1

        digital_signature: 1

        key_encipherment:  1

    extended_key_usage:

        critical: 0

        client_auth:      1

I have no idea where to start looking for the cause of the problem.

Thanks in advance

Thomas

*NetSec.co AG*

Thomas Gusset

CEO & CTO

Im alten Riet 125, 9494 Schaan, Liechtenstein

https://netsec.co <https://netsec.co>

+423 388 2777 / +423 388 2770 (direkt)

[email protected] <mailto:[email protected]>

https://threema.id/NK3MJMNP <https://threema.id/NK3MJMNP>


Chat on MS Teams 
<https://teams.microsoft.com/l/chat/0/[email protected]>




_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to