Hi Oliver Thanks for the hint. Where to find the ‘list of the allowed endpoint profiles’? In the meantime I copied <realm>/est/default.yaml to <realm>/est/<realm>.yaml and now it works like a charm.
Best regards Thomas From: Oliver Welter <[email protected]> Sent: Freitag, 25. August 2023 07:43 To: [email protected] Subject: Re: [OpenXPKI-users] EST - invalid profile Hi Thomas, invalid profile means that the NAME of the profile that the workflow tries to issue does not exist or is not in the list of the allowed endpoint profiles. Oliver On 23.08.23 13:23, Thomas Gusset wrote: Hi I have a strange problem with EST. I try to issue certificates and (this is the weird part) sometimes it works and sometimes it results in an I18N_OPENXPKI_UI_INVALID_PROFILE error. Yesterday during the day it worked at the beginning and then it didn't work anymore. In the evening I tried it again from home and it worked there. Then this morning it didn't work again. I always do the tests directly on the server on which openXPKI is installed. I use ECC keys, but have also tried RSA keys. Both have worked before. The logs show workflow.log … 2023/08/23 13:04:35 14335 Using custom field class OpenXPKI::Server::Workflow::Field 2023/08/23 13:04:35 14335 Execute action global_map_url_params 2023/08/23 13:04:35 14335 Execute action enroll_set_transaction_id 2023/08/23 13:04:35 14335 Setting context transaction_id to cc884f27bef5d142073490e184894597234abb82 2023/08/23 13:04:35 14335 Execute action enroll_set_workflow_attributes 2023/08/23 13:04:35 14335 Execute action global_load_policy 2023/08/23 13:04:35 14335 No policy params set in LoadPolicy 2023/08/23 13:04:35 14335 Execute action global_set_profile 2023/08/23 13:04:35 14335 Calling Connector::GetValue in mode hash with path est|ivoc-test|profile 2023/08/23 13:04:35 14335 Execute action enroll_parse_pkcs10 2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key certificateTemplateName is key_nonempty 2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key certificateTemplateName is key_nonempty 2023/08/23 13:04:35 14335 Execute action global_noop 2023/08/23 13:04:35 14335 Testing if WFHash req_extensions key certificateTemplateName is key_nonempty 2023/08/23 13:04:35 14335 Execute action global_set_error_invalid_profile 2023/08/23 13:04:35 14335 Set error code I18N_OPENXPKI_UI_INVALID_PROFILE for workflow 14335 est.log: 2023/08/23 13:04:34 DEB Parsed URI: ivoc-test => simpleenroll [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB calling context is https [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB unauthenticated (no cert) [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB Pickup via attribute with transaction_id => cc884f27bef5d142073490e184894597234abb82 [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB Initialize client [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB Started volatile session with id: VeYXALjtTsO+gXyosTfWeA== [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB Selecting auth stack _System [pid=1010|ep=[undef]] 2023/08/23 13:04:34 DEB Initialize certificate_enroll with params pkcs10, transaction_id, server, interface [pid=1010|ep=[undef]] 2023/08/23 13:04:35 DEB Workflow created (ID: 14335), State: FAILURE [pid=1010|ep=[undef]] 2023/08/23 13:04:35 DEB Status: 400 Request was rejected [pid=1010|ep=[undef]] 2023/08/23 13:04:35 INF Disconnect client [pid=1010|ep=[undef]] If I take the pkcs10 certificate request from the workflow concept (from the Web GUI) I can enrol the certificate. The profile is # The name of the file equals the name of the profile label: IvoControl device certificate key: alg: - ec generate: client ec: curve_name: - prime256v1 - secp256r1 style: 00_basic_style: label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC ui: subject: - cn info: - requestor_realname - requestor_email - requestor_affiliation - owner_contact - comment subject: dn: CN=[% CN %],DC=IvoControl Test CA,DC=IvoControl,DC=net metadata: requestor: "[% requestor_realname %]" email: "[% requestor_email %]" owner_contact: "[% owner_contact || requestor_email %]" entity: "[% hostname FILTER lower %]" enroll: subject: dn: CN=[% CN.0 %],O=Ivoclar Vivadent AG,L=Schaan,C=LI,DC=ivocontrol,DC=net metadata: system_id: "[% data.cust_id %]" server_id: "[% data.server_id %]" # entity: "[% CN.0.replace(':.*','') FILTER lower %]" # Profile extensions - set 0/1 as needed # Also see sections defined in default.yaml extensions: key_usage: critical: 1 digital_signature: 1 key_encipherment: 1 extended_key_usage: critical: 0 client_auth: 1 I have no idea where to start looking for the cause of the problem. Thanks in advance Thomas NetSec.co AG Thomas Gusset CEO & CTO Im alten Riet 125, 9494 Schaan, Liechtenstein https://netsec.co +423 388 2777 / +423 388 2770 (direkt) [email protected]<mailto:[email protected]> https://threema.id/NK3MJMNP Chat on MS Teams<https://teams.microsoft.com/l/chat/0/[email protected]> _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
