Hi Oliver,
Thanks for the reply. Both *generic* and *scep* endpoint returns the
same result. I found something interesting, this is the output when I
execute the sampleconfig.sh once:
*docker exec -it openxpki-docker-openxpki-server-1 /bin/bash
/etc/openxpki/contrib/sampleconfig.sh*
Fully automated sample setup using tmpdir /tmp/tmp.o2pq4LHEgF
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Successfully imported
certificate into database:
Subject: CN=OpenXPKI Root CA 20240626
Issuer: CN=OpenXPKI Root CA 20240626
Identifier: nPo7UqdVydQ95xBY-g5XagjeaKU
Realm: none
done.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Module rewrite already enabled
Module headers already enabled
Site openxpki already enabled
Site 000-default already disabled
Site default-ssl already disabled
Doing /etc/ssl/certs
OpenXPKI configuration should be and server should be running...
*root@260c601a6567:/var/log/openxpki# openxpkiadm alias --realm democa*
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: FCzZAVlVeXLvJuxzZFIG3c_XRN0
NotBefore : 2024-06-26 08:36:34
NotAfter : 2034-06-29 08:36:34
ratoken (scep):
Alias : ratoken-1
Identifier: IcW0gW4KH5UQ9ajSaxQdhWc5Ye8
NotBefore : 2024-06-26 08:36:34
NotAfter : 2025-06-26 08:36:34
ratoken (cmcra):
Alias : ratoken-1
Identifier: IcW0gW4KH5UQ9ajSaxQdhWc5Ye8
NotBefore : 2024-06-26 08:36:34
NotAfter : 2025-06-26 08:36:34
ca-signer (certsign):
Alias : ca-signer-1
Identifier: 3LyloL0Y0KncuFrrdtXWuwm72I0
NotBefore : 2024-06-26 08:36:33
NotAfter : 2029-06-28 08:36:33
=== root ca ===
current root ca:
not set
upcoming root ca:
not set
As you see, there is no Root CA, it was not set during the
sampleconfig.sh. When that happens, I get the same result 500 MIME
Header errors than Eddy. Following are the logs from scep with that
configuration, this process did not trigger a Workflow:
DEB Config for service 'scep' loaded [pid=71|]
INF SCEP handler initialized [pid=71|]
DEB Autodetect config file for service 'scep': generic.conf
[pid=71|endpoint=generic]
DEB No config file found, falling back to default
[pid=71|endpoint=generic]
DEB added config to cache generic [pid=71|endpoint=generic]
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'generic'
[pid=71|server=generic|endpoint=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|endpoint=generic|server=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: y2ZbhLVNQd2Ay5apTnIKTA==
[pid=71|endpoint=generic|server=generic]
DEB Selecting auth stack _System [pid=71|endpoint=generic|server=generic]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|server=generic|endpoint=generic]
DEB Incoming SCEP operation 'GetCACert' on endpoint 'generic'
[pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|endpoint=generic|server=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: G2frL/QFSPC1x5VNgRy2iw==
[pid=71|endpoint=generic|server=generic]
DEB Selecting auth stack _System [pid=71|endpoint=generic|server=generic]
DEB Workflow "scep_getcacert" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|endpoint=generic|server=generic]
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'generic'
[pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|server=generic|endpoint=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: PpsUh0yGSWql1uSmJ/J8Dg==
[pid=71|server=generic|endpoint=generic]
DEB Selecting auth stack _System [pid=71|server=generic|endpoint=generic]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|endpoint=generic|server=generic]
DEB Incoming SCEP operation 'PKIOperation' on endpoint 'generic'
[pid=71|server=generic|endpoint=generic]
DEB Got PKIOperation via POST [pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Initialize client [pid=71|server=generic|endpoint=generic]
DEB Started volatile session with id: s5PIas8PSrWYSR9P/ufp3A==
[pid=71|server=generic|endpoint=generic]
DEB Selecting auth stack _System [pid=71|server=generic|endpoint=generic]
ERR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED
[pid=71|endpoint=generic|server=generic]
DEB HTTP status: [500 Unable to initialize endpoint parameters]
[pid=71|endpoint=generic|server=generic]
ERR Unable to initialize endpoint parameters
[pid=71|server=generic|endpoint=generic]
DEB Disconnect client [pid=71|server=generic|endpoint=generic]
If I go to Information > System status. I see the following message:
Your system status is critical!
OpenXPKI system status
No CRL found!
---
Active Encryption Token
not available (vault-4)
System Version
3.30.3
Hostname
1b6296df61d6
Config Version
commit
config
3.28
dbschema
3
If I run with the user raop to generate a certificate through the
website, creating a key, etc. The workflow stays with:
PAUSED: Certificate signing token is not online, count try 1, wakeup
at 2024-06-26T09:44:07
If after executing a certificate in the website, I execute *again *the
sampleconfig, I see a difference in the response:
Fully automated sample setup using tmpdir /tmp/tmp.OoRZMbp9K3
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Successfully imported
certificate into database:
Subject: CN=OpenXPKI Root CA 20240626
Issuer: CN=OpenXPKI Root CA 20240626
Identifier: 89tR34ocTwuJMZN1W_82A00apzY
Realm: none
Successfully wrote key to /etc/openxpki/local/keys/vault-5.pem
Successfully wrote alias:
Alias : vault-5
Identifier: 7k8pTLuD8eG3a9XbliRs28Vt6tU
NotBefore : 2024-06-26 09:39:55
NotAfter : 2034-06-29 09:39:55
Successfully wrote key to datapool with key 'ca-signer-5'
Successfully wrote alias:
Alias : ca-signer-5
Identifier: SR_Xk8JDQdUxD7WGfTMYl5r6O3g
NotBefore : 2024-06-26 09:39:54
NotAfter : 2029-06-28 09:39:54
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-5
Identifier: 89tR34ocTwuJMZN1W_82A00apzY
NotBefore : 2024-06-26 09:39:54
NotAfter : 2034-06-29 09:39:54
Successfully wrote key to datapool with key
'51:6D:71:C6:DF:80:F6:97:1F:61:D9:92:DA:ED:1B:A1:5F:34:F9:6E'
Successfully wrote alias:
Alias : ratoken-5
Identifier: vkDEyGogarI0389vqb1u_RNt0VA
NotBefore : 2024-06-26 09:39:55
NotAfter : 2025-06-26 09:39:55
done.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Module rewrite already enabled
Module headers already enabled
Site openxpki already enabled
Site 000-default already disabled
Site default-ssl already disabled
Doing /etc/ssl/certs
---
After that, I got a Root CA and the ENROLLMENT with SSCEP is working
as expected. My problem was that I did the first SSCEP before having a
valid Root CA and because I did not change the key, it always went to
the same workflow with the error. But if I change the key after having
a valid root CA and being able from the website of generating a
certificate is possible later with SCEP and a new key and valid CN.
It seems that there is a problem with the import of the CA the first
time, but I don't understand why I don't see any logs when executing
the bash script. I also added the yaml file to wait for the database,
as the documentation suggested. I verify that the certificate was
signed, and everything seems fine in the tmp file. Nevertheless, the
system does not detect the Root CA the first time.
openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE}"
From Web UI Status:
Active Encryption Token not available (vault-1)
Best Regards,
Mit freundlichen Grüßen,
*
*
*Jairo R. Mejia Aponte* | Embedded Software Linux Junior Engineer
Netmodule | Hirschmann Automation & Control GmbH
Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany
jairo.mejiaapo...@netmodule.com <mailto:benjamin.k...@netmodule.com> |
www.netmodule.com <http://www.netmodule.com/> | www.belden.com
<http://www.belden.com/>
------------------------------------------------------------------------
*From:* Oliver Welter <m...@oliwel.de>
*Sent:* Wednesday, June 26, 2024 07:36
*To:* openxpki-users@lists.sourceforge.net
<openxpki-users@lists.sourceforge.net>
*Subject:* Re: [OpenXPKI-users] [SCEP] Enrollment failing with
I18N_OPENXPKI_UI_INVALID_PROFILE with OpenXPKI v3.30.3
Hello, what URL did you use for enrolling? You must use a valid
endpoint definition, so the one in the sample config is
http: //. . . . /scep/generic Oliver On 25. 06. 24 11: 30, Jairo Mejia
Aponte wrote: Hello, I have just performed a new installation
ZjQcmQRYFpfptBannerStart
External Message:Use caution before opening links or attachments
ZjQcmQRYFpfptBannerEnd
Hello,
what URL did you use for enrolling? You must use a valid endpoint
definition, so the one in the sample config is
http://..../scep/generic <http://..../scep/generic>
Oliver
On 25.06.24 11:30, Jairo Mejia Aponte wrote:
Hello,
I have just performed a new installation of OpenXPKI v.30.3 with
Docker in a Debian 12 host. I tried to enroll with SSCEP v0.10.0, as
the documentation from the docker repo and the quickstart guide
<https://openxpki.readthedocs.io/en/latest/quickstart.html> suggested.
I used the community configuration. The only difference from the
basic configuration is that I increased the logging level and the
real_mode as suggested in a previous Mailing List message when
working with a hostname instead of path (default).
The GETCA operation works, but as soon as I wanted to ENROLL, I got
problems. I received a pkistatus FAILURE in the client and the
reason: "Transaction not permitted or supported". When I looked at
the logs and the workflow in the WebUI, I found out that the process
is failing just at the end after parsing the PKCS10 in the state
PROFILE_SET with global_set_error_invalid_profile. The logs from the
SCEP server are:
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'scep'
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Config created
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Calling context is plain HTTP
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Initialize client
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Started volatile session with id: j6S7lRUpQMSHXnCof9xcEw==
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
DEB Selecting auth stack _System
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB HTTP status: [200 OK]
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Incoming SCEP operation 'PKIOperation' on endpoint 'scep'
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Got PKIOperation via POST
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Config created
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Initialize client
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Started volatile session with id: 3XblKVKDQo+9bKed/z8ysQ==
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Selecting auth stack _System
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Handle enrollment
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Calling context is plain HTTP
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Adding extra parameters for message type 'PKCSReq'
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Pickup via attribute: transaction_id =
6EA7B80F360928775E046C0C3A5FED60
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Pick up workflow #2303
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB HTTP status: [400 Request was rejected:
I18N_OPENXPKI_UI_INVALID_PROFILE]
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
ERR Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
WAR Client error / malformed request: badRequest (internal code:
40006)
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Disconnect client
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
*Workflow history:*
INITIAL enroll_initialize
INITIAL_ENROLL_INITIALIZE_0 global_map_url_params
INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id
INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes
INITIAL_ENROLL_INITIALIZE_3 global_load_policy
INITIAL_ENROLL_INITIALIZE_4 global_set_profile
INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10
PARSED global_noop
PROFILE_SET global_set_error_invalid_profile
Any information in previous messages was helpful for this error, the
only message was this thread
<https://sourceforge.net/p/openxpki/mailman/message/37854953/>, but
it was related to EST and at least from me, this was not the
solution. Do you have any idea what could be the problem?
Happy coding and best Regards,
*
*
*Jairo R. Mejia Aponte* | Embedded Software Linux Junior Engineer
Netmodule | Hirschmann Automation & Control GmbH
Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany
jairo.mejiaapo...@netmodule.com
<mailto:benjamin.k...@netmodule.com> | www.netmodule.com
<http://www.netmodule.com/> | www.belden.com <http://www.belden.com/>
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
