Hi Thomas,
that is a problem with the pickup magic which is not consistent in the
example configuration.
There are three methods to handle the pickup logic and the only one
which is implemented in the example workflow shipped with the community
edition is not the one that is expected by the SCEP configuration :(
Please remove the line
pickup_namespace= transaction_id
from the scep/<endpoint>.conf file and restart your apache, afterwards I
expect this to work.
best regards
Oliver
On 29.11.23 12:42, Thomas Stecher wrote:
Hello!
I am trying to set up OpenXPKI with SCEP on our internal
infrastructure for evaluation purposes.
Unfortunately, it does not work, either with sscep, nor certmonger.
The issue seems to come from querying an in progress certificate.
Initially requesting a certificate does succeed with sscep - I have it
in pending enrollment approval (it does not work with certmonger, but
that is because of the transaction_id not matching the hash regex and
probably a client bug, I'll try to solve that in the workflow later
and post the workaround).
Commands to reproduce:
# Gets CA certificates - works
./sscep \
getca \
-u http://openxpki.synedra.lan/scep/generic \
-c tst/ca-cert
# Works initially, fails after querying enrollment progress after two
seconds (-t 2)
./sscep \
enroll \
-u http://openxpki.synedra.lan/scep/generic/ \
-k tst/test.key \
-r tst/test.csr \
-l tst/test.crt \
-c tst/ca-cert-0 \
-t 2 \
-v
# After initially enrolling, you can reproduce the issue with this
command, without enrolling a second certificate:
./sscep \
enroll \
-R \
-u http://openxpki.synedra.lan/scep/generic/ \
-k tst/test.key \
-r tst/test.csr \
-l tst/test.crt \
-c tst/ca-cert-0 \
-t 2 \
-v
I started with a fresh config, just so we had less potential issues
with SCEP - you can find a diff between our and default cfg attached.
Log says:
2023/11/29 09:47:11 ERR I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID
[pid=2659|ep=generic]
2023/11/29 09:47:11 INF Input validation failed [pid=2659|ep=generic]
2023/11/29 09:47:11 WAR Client error / malformed request badRequest
[pid=2659|ep=generic]
2023/11/29 09:47:11 INF Disconnect client [pid=2659|ep=generic]
...on trace (attached), it reports that there is no pkcs10 payload
attached on the GetCertInitial request.
If I got this right
(https://datatracker.ietf.org/doc/html/rfc8894#CertPoll), then there
should be no PKCS10 here at all.
I believe it's starting the wrong workflow (certificate_enroll, when
it should be check_enrollment). In /usr/lib/cgi-bin/scepv3.fcgi on
line '102 it says '# TODO - improve handling of GetCertInitial and
RenewalReq' - could this be the issue?
Has anyone got SCEP enrollment with manual approval working? Did I do
anything wrong?
Thanks for your help and kind regards!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
