Hi Eddy, I sent a message a few hours ago, but it was very heavy with logs and required a moderator to be accepted. I could today make it work and the way to make it work is a little bit strange with the sampleconfig,sh
What you need to know for certain is that the command openxpkiadm alias --realm democa === functional token === ratoken (cmcra): Alias : ratoken-6 Identifier: 96NSkXyj7AoH-lZKsHdsCwQ2Wig NotBefore : 2024-06-26 11:25:17 NotAfter : 2025-06-26 11:25:17 vault (datasafe): Alias : vault-6 Identifier: C_NDVXEyczTBLKsxUwMtsBeeRSE NotBefore : 2024-06-26 11:25:17 NotAfter : 2034-06-29 11:25:17 ca-signer (certsign): Alias : ca-signer-6 Identifier: KQYOW1Jj6Szn1LedtvGL-Qwojk4 NotBefore : 2024-06-26 11:25:17 NotAfter : 2029-06-28 11:25:17 ratoken (scep): Alias : ratoken-6 Identifier: 96NSkXyj7AoH-lZKsHdsCwQ2Wig NotBefore : 2024-06-26 11:25:17 NotAfter : 2025-06-26 11:25:17 === root ca === current root ca: Alias : root-6 Identifier: gzMd-uc0Y3mFCwRIjyldQYRSaaE NotBefore : 2024-06-26 11:25:16 NotAfter : 2034-06-29 11:25:16 Specially, you need to have a token in the SCEP and also the current root ca should be available. If you have that, the only thing that you need more is another key. Likely you were working with this key before and this creates a Workflow in the OpenXPKI server with that error. With a new key and a valid CN, I got a successful connection, you need to get the CA again from zero and start the process with enroll again. If the command that I sent looks like this, you should be able to get a a PENDING status Best regards, Jairo R. Mejia Aponte | Embedded Software Linux Junior Engineer Netmodule | Hirschmann Automation & Control GmbH Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany jairo.mejiaapo...@netmodule.com<mailto:benjamin.k...@netmodule.com> | www.netmodule.com<http://www.netmodule.com/> | www.belden.com<http://www.belden.com/> ________________________________ From: Eddy BODIN via OpenXPKI-users <openxpki-users@lists.sourceforge.net> Sent: Wednesday, June 26, 2024 11:37 To: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Cc: Eddy BODIN <eddy.bo...@non.se.com> Subject: Re: [OpenXPKI-users] [SCEP] HTTP Error 500 with OpenXpki v3.30.3 Hi Oliver, Thank you for your reply. The situation has changed a bit, after pushing a new certificate chain (root, certsign, scep), the enrollment now goes further. And now I get an error that seems to be similar to Jairo R. Mejia Aponte's ZjQcmQRYFpfptBannerStart External Message:Use caution before opening links or attachments ZjQcmQRYFpfptBannerEnd Hi Oliver, Thank you for your reply. The situation has changed a bit, after pushing a new certificate chain (root, certsign, scep), the enrollment now goes further. And now I get an error that seems to be similar to Jairo R. Mejia Aponte's post : https://sourceforge.net/p/openxpki/mailman/message/58788506/ I saw your answer in this post, and I tried to change the URL (../scep/generic) but the result is the same, I got an invalid profile. Best regards Eddy SSCEP logs: sscep enroll -u http://192.168.1.153:80/scep/generic -v -d -k local.key -r local.csr -l local.crt -c pki2.crt-0 sscep: PKCS#7 contains 0 bytes of enveloped data sscep: verifying signature sscep: signature ok sscep: finding signed attributes sscep: finding attribute transId sscep: allocating 32 bytes for attribute sscep: reply transaction id: 65950E20937C5635E1D2F510E19985E9 sscep: finding attribute messageType sscep: allocating 1 bytes for attribute sscep: reply message type is good sscep: finding attribute senderNonce sscep: allocating 16 bytes for attribute sscep: senderNonce in reply: 4D3889B2BF799BBFE1FCB54F90477B00 sscep: finding attribute recipientNonce sscep: allocating 16 bytes for attribute sscep: recipientNonce in reply: C68880C978F23DDFA9AC7947142D9E1F sscep: finding attribute pkiStatus sscep: allocating 1 bytes for attribute sscep: pkistatus: FAILURE sscep: finding attribute failInfo sscep: allocating 1 bytes for attribute sscep: reason: Transaction not permitted or supported OpenXPKI logs: ==> /var/log/openxpki/openxpki.log <== 2024/06/26 05:24:33 INFO Login successful (user: Anonymous, role: System) [pid=4071|sid=BX+t|pki_realm=democa] ==> /var/log/openxpki/catchall.log <== 2024/06/26 05:24:33 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=4071|sid=BX+t|pki_realm=democa] ==> /var/log/openxpki/openxpki.log <== 2024/06/26 05:24:33 INFO Login successful (user: Anonymous, role: System) [pid=4072|sid=U4NR|pki_realm=democa] ==> /var/log/openxpki/catchall.log <== 2024/06/26 05:24:33 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=4072|sid=U4NR|pki_realm=democa] ==> /var/log/openxpki/scep.log <== 2024/06/26 05:24:33 ERR Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE [pid=3930|ep=generic] 2024/06/26 05:24:33 WAR Client error / malformed request: badRequest (internal code: 40006) [pid=3930|ep=generic] CSR: Certificate Request: Data: Version: 1 (0x0) Subject: CN=PetitPoucet, C=FR, O=SE, OU=RnD Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a3:f5:ca:b3:b2:e0:56:6b:a9:96:c5:b6:40:fa: 3b:a9:4a:... Exponent: 65537 (0x10001) Attributes: challengePassword :SecretChallenge Requested Extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha256WithRSAEncryption Signature Value: 5d:b3:a8:75:b1:df:8c:c1:6f:e9:a1:cd:c9:69:42:3b:7d:31: 57:8d:02:f8:... General ________________________________ De : Oliver Welter <m...@oliwel.de> Envoyé : mercredi 26 juin 2024 07:32 À : openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Objet : Re: [OpenXPKI-users] [SCEP] HTTP Error 500 with OpenXpki v3.30.3 [External email: Use caution with links and attachments] ________________________________ Hi Eddy, it works here for me on our demo without any problems, do you have any specialitites in the CSR? Whats in the logs? Oliver On 23.06.24 21:30, Eddy BODIN via OpenXPKI-users wrote: Hello, I have just performed a new installation of OpenXPKI v.30.3 with the APT mechanism on my Debian 12.5.0 virtual machine but when I try to enroll with SSCEP v0.10.0 (SSCEP is on another Debian 12.5.0 VM - also newly installed), I get an HTTP 500 error code from OpenXPKI. Should I add a new argument to SSCEP for enrollment? PS: To install OpenXPKI, I used the quick start documentation and the sampleconfig.sh script. The only file I configured was /etc/openxpki/config.d/system/database.yaml to type: MariaDB2 root@debian:~/sscep-master/001# sscep enroll -u http://192.168.1.112/scep/scep -c pki.crt-0 -k local.key -r local.csr -l local.crt -d sscep: starting sscep, version 0.10.0 sscep: new transaction sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E sscep: hostname: 192.168.1.112 sscep: directory: scep/scep sscep: port: 80 sscep: SCEP_OPERATION_GETCAPS sscep: scep request: ... sscep: connecting to 192.168.1.112:80<http://192.168.1.112/> sscep: server response status code: 500, MIME header: text/html sscep: wrong (or missing) MIME content type sscep: error while sending message root@debian:~/sscep-master/001# PS: sscep getca works well Best Regards Eddy General _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
