Hey,
Thanks for your help.
I have now changed it and now I get the certificates displayed via WebGui
under My Tasks but via CLI it still says Failure and I still have error
logs. Where can I define signers?
Workflows.log:
2024/02/05 07:19:42 8703 Rendering subject: CN=scep-server,DC=Test
Deployment,DC=OpenXPKI,DC=org
2024/02/05 07:19:42 8703 Trusted Signer chain - certificate is self signed
2024/02/05 07:19:42 8703 Trusted Signer not found in trust list
(CN=scep-server,O=MyOrg,ST=MyState,C=XX).
2024/02/05 07:19:43 8703 Eligibility check for
scep.generic.eligible.initial failed
2024/02/05 07:19:43 8703 Trigger notification message
enroll_approval_pending
catchcall.log:
2024/02/05 07:19:38 openxpki.auth.INFO Login successful (user: Anonymous,
role: System) [pid=63279|sid=+U/i|pki_realm=test]
2024/02/05 07:19:39 openxpki.auth.INFO Login successful (user: Anonymous,
role: System) [pid=63281|sid=L1yv|pki_realm=test]
2024/02/05 07:19:42 openxpki.application.INFORendering subject:
CN=scep-server,DC=Test Deployment,DC=OpenXPKI,DC=org
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:42 openxpki.application.INFOTrusted Signer chain -
certificate is self signed
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:42 openxpki.application.INFOTrusted Signer not found in
trust list (CN=scep-server,O=MyOrg,ST=MyState,C=XX).
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:43 openxpki.application.INFOEligibility check for
scep.generic.eligible.initial failed
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:43 openxpki.application.INFOTrigger notification message
enroll_approval_pending
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:52 openxpki.application.INFOPurged 1 expired sessions
[pid=63109|sid=Qzi3|pki_realm=test]
2024/02/05 07:20:34 openxpki.auth.INFO Login successful (user: Anonymous,
role: System) [pid=63287|sid=JXPx|pki_realm=test]
2024/02/05 07:24:57 openxpki.application.INFOPurged 3 expired sessions
[pid=63109|sid=Qzi3|pki_realm=test]
scep.log:
024/02/05 07:19:44 INF Request Pending - PENDING [pid=61645|ep=generic]
2024/02/05 07:19:44 INF Send pending response for
459BA147BDD0E5DEFD7225A843EBD7B5 [pid=61645|ep=generic]
2024/02/05 07:19:44 INF Disconnect client [pid=61645|ep=generic]
2024/02/05 07:20:35 ERR Unable to parse PKCS10: decode: decode error
06<=>30 4 8 certificationRequestInfo at /usr/share/perl5/Convert/ASN1/_
decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at
/usr/share/perl5/Crypt/PKCS10.pm line 756.
Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1,
"verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607
eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
Crypt::PKCS10::new("Crypt::PKCS10",
"0\x{82}\x{8}\x{c7}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{8}\x{b8}0\x{82}\x{8}\x{b4}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{3}\x{5}\x{0}0\x{82}\x{2}\x{e6}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"...,
"ignoreNonBase64", 1, "verifySignature", 1) called at
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5649357e2b68),
CGI::Fast=HASH(0x564932fb3278)) called at /usr/lib/cgi-bin/scepv3.fcgi line
100
[pid=61645|ep=generic]
2024/02/05 07:20:35 WAR Client error / malformed request badRequest
[pid=61645|ep=generic]
2024/02/05 07:20:36 INF Disconnect client [pid=61645|ep=generic]
Oliver Welter <[email protected]> schrieb am Mo. 5. Feb. 2024 um 11:51:
> Hi Ali,
>
> you need to define a policy file matching the name of the used endpoint.
> The endpoint is the later part of the used URL, so "scep" in your case and
> so must be the name of the policy file in config.d/realm/democa/scep. The
> default configuration ships a file named "generic.yaml", so your URL should
> be /scep/generic to match this file. We have changed the "fallback"
> behaviour in this point with the switch to the new SCEP login two releases
> ago, so old examples are likely no longer working with the stock config, I
> would therefore appreciate if you report outdated documentation so we can
> fix it.
>
>
> Oliver
> On 05.02.24 10:52, Ali Danakiran wrote:
>
> Hello,
> Sorry for replying so late.
> I have now looked up ErrorLog.
>
> Scep.log:
> 2024/02/05 01:52:43 WAR Client error / bad request badRequest
> [pid=61645|ep=scep]
> 2024/02/05 01:52:43 INF Disconnect client connection [pid=61645|ep=scep]
>
> Workflows.log:
> 2024/02/05 01:52:42 6655 No policy parameters set in LoadPolicy
>
> Catchcall.log:
>
> 2024/02/05 01:52:42 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
> configuration_error exception thrown from
> [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; previously:
> OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the
> profile name or the key_rules directly
> [pid=61773|user=Anonymous|role=System|sid=iEm6|wftype=certificate_enroll|wfid=6655|pki_realm=test]
> 2024/02/05 01:52:42 OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
> configuration_error exception thrown from
> [OpenXPKI::Server::Workflow::Condition::KeyParams: 40; previously:
> OpenXPKI::Server::Workflow::Condition: 53]: You must pass either the
> profile name or the key_rules directly
> [pid=61773|user=Anonymous|role=System|sid=iEm6|wftype=certificate_enroll|wfid=6655|pki_realm=test]
>
> I always get the same error messages
>
>
> Oliver Welter <[email protected]> schrieb am Di. 30. Jan. 2024 um 17:03:
>
>> Hi Ali,
>>
>> go to the Webui, search for the workflow and read the error message there
>> - if there is no workflow, check the scep.log on the console and try
>> running sscep with "-v" or "-d" to get some additional output.
>>
>> Oliver
>> On 30.01.24 15:48, Ali Danakiran wrote:
>>
>>
>> Hi
>>
>> Can anyone tell me why I get the error code.
>>
>>
>>
>> */sscep# ./sscep enroll -u http://IP-ADDRESS/scep/scep \
>>
>> -k tmp/scep-test.key -r tmp/scep-test.csr \
>>
>> -c tmp/cacert-0 \
>>
>> -l tmp/scep-test.crt \
>>
>> -t 10 -n 1*
>>
>>
>>
>> ./sscep: Certificate request sent
>>
>> ./sscep: Valid response from the server
>>
>> ./sscep: Response transaction ID:
>>
>> ./sscep: pkistatus: FAILURE
>>
>> ./sscep: Reason: Transaction not allowed or supported
>>
>> Martin Bartosch via OpenXPKI-users <[email protected]>
>> schrieb am Fr. 26. Jan. 2024 um 16:21:
>>
>>> Hi,
>>>
>>> > I'm a bit further along now, I installed sscep via Github Link but now
>>> I get the error message:
>>> > /sscep# ./sscep getca -c tmp/cacert -u http://domainorip/scep/scep
>>> > ./sscep: cannot open cert file for writing
>>>
>>> mkdir tmp
>>>
>>> and retry.
>>>
>>> Cheers
>>>
>>> Martin
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> _______________________________________________
> OpenXPKI-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
