Hi Thomas,
just a side node - you can also just resend the CSR (without the "-R"),
OpenXPKI will find the old request as long as the CSR is still the same.
Oliver
On 30.11.23 08:25, Thomas Stecher wrote:
Hello Oliver!
I removed the pickup_namespace line and rebooted the server.
Initially, I got an error message 'ambigous search result at
/usr/share/perl5/OpenXPKI/Client/Service/Role/PickupWorkflow.pm line
52.' when retrying.
However, that is probably related to the fact that I have multiple
workflows with the same CSR (transaction_id) from testing, which does
not seem ideal - the error message is pretty clear to me.
Clearing the approval queue and generating a new key and CSR, I can
now enroll with sscep (don't think clearing the queue is actually
required...)!
Thank you very much for your help and have a nice week!
Am 29.11.2023 um 18:28 schrieb Oliver Welter:
Hi Thomas,
that is a problem with the pickup magic which is not consistent in
the example configuration.
There are three methods to handle the pickup logic and the only one
which is implemented in the example workflow shipped with the
community edition is not the one that is expected by the SCEP
configuration :(
Please remove the line
pickup_namespace= transaction_id
from the scep/<endpoint>.conf file and restart your apache,
afterwards I expect this to work.
best regards
Oliver
On 29.11.23 12:42, Thomas Stecher wrote:
Hello!
I am trying to set up OpenXPKI with SCEP on our internal
infrastructure for evaluation purposes.
Unfortunately, it does not work, either with sscep, nor certmonger.
The issue seems to come from querying an in progress certificate.
Initially requesting a certificate does succeed with sscep - I have
it in pending enrollment approval (it does not work with certmonger,
but that is because of the transaction_id not matching the hash
regex and probably a client bug, I'll try to solve that in the
workflow later and post the workaround).
Commands to reproduce:
# Gets CA certificates - works
./sscep \
getca \
-u http://openxpki.synedra.lan/scep/generic \
-c tst/ca-cert
# Works initially, fails after querying enrollment progress after
two seconds (-t 2)
./sscep \
enroll \
-u http://openxpki.synedra.lan/scep/generic/ \
-k tst/test.key \
-r tst/test.csr \
-l tst/test.crt \
-c tst/ca-cert-0 \
-t 2 \
-v
# After initially enrolling, you can reproduce the issue with this
command, without enrolling a second certificate:
./sscep \
enroll \
-R \
-u http://openxpki.synedra.lan/scep/generic/ \
-k tst/test.key \
-r tst/test.csr \
-l tst/test.crt \
-c tst/ca-cert-0 \
-t 2 \
-v
I started with a fresh config, just so we had less potential issues
with SCEP - you can find a diff between our and default cfg attached.
Log says:
2023/11/29 09:47:11 ERR
I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID [pid=2659|ep=generic]
2023/11/29 09:47:11 INF Input validation failed [pid=2659|ep=generic]
2023/11/29 09:47:11 WAR Client error / malformed request badRequest
[pid=2659|ep=generic]
2023/11/29 09:47:11 INF Disconnect client [pid=2659|ep=generic]
...on trace (attached), it reports that there is no pkcs10 payload
attached on the GetCertInitial request.
If I got this right
(https://datatracker.ietf.org/doc/html/rfc8894#CertPoll), then there
should be no PKCS10 here at all.
I believe it's starting the wrong workflow (certificate_enroll, when
it should be check_enrollment). In /usr/lib/cgi-bin/scepv3.fcgi on
line '102 it says '# TODO - improve handling of GetCertInitial and
RenewalReq' - could this be the issue?
Has anyone got SCEP enrollment with manual approval working? Did I
do anything wrong?
Thanks for your help and kind regards!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Thomas Stecher
IT-Infrastruktur
*synedra information technologies GmbH*
Feldstr. 1/13 | 6020 Innsbruck | Austria
www.synedra.com <http://www.synedra.com>
Sitz der Gesellschaft: Innsbruck, Handelsgericht Innsbruck,
Firmenbuch: 268961 g
Geschäftsführer: Dr. T. Pellizzari, Dr. S. Andreatta, Mag. J. Fellner
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
