Re: [OpenXPKI-users] Sscep problem

Tue, 06 Feb 2024 23:47:24 -0800 

Hi Ali,

please uprade to v3.28.2 (see recent message) - this will fix the issue.

Oliver

On 05.02.24 14:24, Ali Danakiran wrote:

Hey,
Thanks for your help.
I have now changed it and now I get the certificates displayed via WebGui under My Tasks but via CLI it still says Failure and I still have error logs. Where can I define signers? 

Workflows.log:
2024/02/05 07:19:42 8703 Rendering subject: CN=scep-server,DC=Test Deployment,DC=OpenXPKI,DC=org 
2024/02/05 07:19:42 8703 Trusted Signer chain - certificate is self signed
2024/02/05 07:19:42 8703 Trusted Signer not found in trust list (CN=scep-server,O=MyOrg,ST=MyState,C=XX). 2024/02/05 07:19:43 8703 Eligibility check for scep.generic.eligible.initial failed 2024/02/05 07:19:43 8703 Trigger notification message enroll_approval_pending 

catchcall.log:
2024/02/05 07:19:38openxpki.auth.INFO <http://openxpki.auth.INFO>Login successful (user: Anonymous, role: System) [pid=63279|sid=+U/i|pki_realm=test] 2024/02/05 07:19:39openxpki.auth.INFO <http://openxpki.auth.INFO>Login successful (user: Anonymous, role: System) [pid=63281|sid=L1yv|pki_realm=test] 2024/02/05 07:19:42openxpki.application.INFO <http://openxpki.application.INFO>Rendering subject: CN=scep-server,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test] 2024/02/05 07:19:42openxpki.application.INFO <http://openxpki.application.INFO>Trusted Signer chain - certificate is self signed [pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test] 2024/02/05 07:19:42openxpki.application.INFO <http://openxpki.application.INFO>Trusted Signer not found in trust list (CN=scep-server,O=MyOrg,ST=MyState,C=XX). [pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test] 2024/02/05 07:19:43openxpki.application.INFO <http://openxpki.application.INFO>Eligibility check for scep.generic.eligible.initial failed [pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test] 2024/02/05 07:19:43openxpki.application.INFO <http://openxpki.application.INFO>Trigger notification message enroll_approval_pending [pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test] 2024/02/05 07:19:52openxpki.application.INFO <http://openxpki.application.INFO>Purged 1 expired sessions [pid=63109|sid=Qzi3|pki_realm=test] 2024/02/05 07:20:34openxpki.auth.INFO <http://openxpki.auth.INFO>Login successful (user: Anonymous, role: System) [pid=63287|sid=JXPx|pki_realm=test] 2024/02/05 07:24:57openxpki.application.INFO <http://openxpki.application.INFO>Purged 3 expired sessions [pid=63109|sid=Qzi3|pki_realm=test] 

scep.log:
024/02/05 07:19:44 INF Request Pending - PENDING [pid=61645|ep=generic]
2024/02/05 07:19:44 INF Send pending response for 459BA147BDD0E5DEFD7225A843EBD7B5 [pid=61645|ep=generic] 
2024/02/05 07:19:44 INF Disconnect client [pid=61645|ep=generic]
2024/02/05 07:20:35 ERR Unable to parse PKCS10: decode: decode error 06<=>30 4 8 certificationRequestInfo at /usr/share/perl5/Convert/ASN1/_decode.pm <http://decode.pm>line 117. Cannot handle input or missing ASN.1 definitions at /usr/share/perl5/Crypt/PKCS10.pm line 756.       Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1, "verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607 
      eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
      Crypt::PKCS10::new("Crypt::PKCS10", "0\x{82}\x{8}\x{c7}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{8}\x{b8}0\x{82}\x{8}\x{b4}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{3}\x{5}\x{0}0\x{82}\x{2}\x{e6}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"..., "ignoreNonBase64", 1, "verifySignature", 1) called at /usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185       OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5649357e2b68), CGI::Fast=HASH(0x564932fb3278)) called at /usr/lib/cgi-bin/scepv3.fcgi line 100 
 [pid=61645|ep=generic]
2024/02/05 07:20:35 WAR Client error / malformed request badRequest [pid=61645|ep=generic] 
2024/02/05 07:20:36 INF Disconnect client [pid=61645|ep=generic]



Oliver Welter <[email protected]> schrieb am Mo. 5. Feb. 2024 um 11:51:

    Hi Ali,

    you need to define a policy file matching the name of the used
    endpoint. The endpoint is the later part of the used URL, so
    "scep" in your case and so must be the name of the policy file in
    config.d/realm/democa/scep. The default configuration ships a file
    named "generic.yaml", so your URL should be /scep/generic to match
    this file. We have changed the "fallback" behaviour in this point
    with the switch to the new SCEP login two releases ago, so old
    examples are likely no longer working with the stock config, I
    would therefore appreciate if you report outdated documentation so
    we can fix it.


    Oliver

    On 05.02.24 10:52, Ali Danakiran wrote:

    Hello,
    Sorry for replying so late.
    I have now looked up ErrorLog.

    Scep.log:
    2024/02/05 01:52:43 WAR Client error / bad request badRequest
    [pid=61645|ep=scep]
    2024/02/05 01:52:43 INF Disconnect client connection
    [pid=61645|ep=scep]

    Workflows.log:
    2024/02/05 01:52:42 6655 No policy parameters set in LoadPolicy

    Catchcall.log:

    2024/02/05 01:52:42
    OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
    configuration_error exception thrown from
    [OpenXPKI::Server::Workflow::Condition::KeyParams: 40;
    previously: OpenXPKI::Server::Workflow::Condition: 53]: You must
    pass either the profile name or the key_rules directly
    
[pid=61773|user=Anonymous|role=System|sid=iEm6|wftype=certificate_enroll|wfid=6655|pki_realm=test]
    2024/02/05 01:52:42
    OpenXPKI.Server.Workflow.Condition.KeyParams.ERROR
    configuration_error exception thrown from
    [OpenXPKI::Server::Workflow::Condition::KeyParams: 40;
    previously: OpenXPKI::Server::Workflow::Condition: 53]: You must
    pass either the profile name or the key_rules directly
    
[pid=61773|user=Anonymous|role=System|sid=iEm6|wftype=certificate_enroll|wfid=6655|pki_realm=test]

    I always get the same error messages


    Oliver Welter <[email protected]> schrieb am Di. 30. Jan. 2024 um 17:03:

        Hi Ali,

        go to the Webui, search for the workflow and read the error
        message there - if there is no workflow, check the scep.log
        on the console and try running sscep with "-v" or "-d" to get
        some additional output.

        Oliver

        On 30.01.24 15:48, Ali Danakiran wrote:


        Hi

        Can anyone tell me why I get the error code.

        */sscep# ./sscep enroll -uhttp://IP-ADDRESS/scep/scep
        <http://IP-ADDRESS/scep/scep>\

            -k tmp/scep-test.key -r tmp/scep-test.csr \

            -c tmp/cacert-0 \

            -l tmp/scep-test.crt \

            -t 10 -n 1*

        ./sscep: Certificate request sent

        ./sscep: Valid response from the server

        ./sscep: Response transaction ID:

        ./sscep: pkistatus: FAILURE

        ./sscep: Reason: Transaction not allowed or supported


        Martin Bartosch via OpenXPKI-users
        <[email protected]> schrieb am Fr. 26.
        Jan. 2024 um 16:21:

            Hi,

            > I'm a bit further along now, I installed sscep via
            Github Link but now I get the error message:
            > /sscep# ./sscep getca -c tmp/cacert -u
            http://domainorip/scep/scep
            > ./sscep: cannot open cert file for writing

            mkdir tmp

            and retry.

            Cheers

            Martin




            _______________________________________________
            OpenXPKI-users mailing list
            [email protected]
            https://lists.sourceforge.net/lists/listinfo/openxpki-users



        _______________________________________________
        OpenXPKI-users mailing list
        [email protected]
        https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin! 

        _______________________________________________
        OpenXPKI-users mailing list
        [email protected]
        https://lists.sourceforge.net/lists/listinfo/openxpki-users



    _______________________________________________
    OpenXPKI-users mailing list
    [email protected]
    https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin! 

    _______________________________________________
    OpenXPKI-users mailing list
    [email protected]
    https://lists.sourceforge.net/lists/listinfo/openxpki-users



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to