Hi Andreas,
GetCert and GetCRL were broken for a long time in ssecp and as we have
never seen this in use by any of our customers we did not really pay
much attention to this, if I run your command here I get this additional
line as debug output
> sscep: requesting crl for serial number
209895355816480542039969897678004233525935668162 and issuer
/CN=oxi-ce-demo.rackport.net:scep-ra
and this is wrong - I did not check the serial but the issuer is
definitely not the RA certificate (history explains this "bug" as when
SCEP was invented this was running on embeded systems with only one
certificate as RA/CA).
I agree that it should not end up in a 500 error but this is simply
explained by the fact that we are currently moving to a new error
handling strategy and not all edge cases have been handled.
I would assume that you get a correct answer when you provide a correct
request :)
Oliver
On 08.08.24 17:02, Andreas Piesk via OpenXPKI-users wrote:
Am 08.08.24 um 09:56 schrieb Martin Bartosch:
Hi,
I tried scep getcrl against the demosite but it didn't work:
abc.crt and abc.key have been generated on demo.openxpki.org
beforehand.
root@pki:~/sscep-0.10.0# openssl x509 -noout -subject -in CA.pem-0
subject=CN = oxi-ce-demo.rackport.net:scep-ra
root@pki:~/sscep-0.10.0# ./sscep getcrl -u
http://demo.openxpki.org/scep/test -c CA.pem-0 -l abc.crt -w bla -k
abc.key -v
I guess, "Unable to serialize HASH" is the real issue. Any hints
what went wrong?
On our demo.openxpki.org <http://demo.openxpki.org/> the SCEP server
is configured to listen at http://demo.openxpki.org/scep/generic. The
same is true for an unmodified setup from our community config
repository.
Uh, stupid mistake of mine, sorry, I warned you, I may ask stupid
questions ;-)
Unfortunately I get the same response from
http://demo.openxpki.org/scep/generic
$ ./sscep getcrl -u http://demo.openxpki.org/scep/generic -c CA-0 -l
sceptest1.crt -w bla -k sceptest1.key -v
./sscep: starting sscep, version 0.10.0
./sscep: new transaction
./sscep: transaction id: SSCEP transactionId
./sscep: hostname: demo.openxpki.org
./sscep: directory: scep/generic
./sscep: port: 80
./sscep: SCEP_OPERATION_GETCAPS
./sscep: connecting to demo.openxpki.org:80
./sscep: server response status code: 200, MIME header: text/plain
Renewal
POSTPKIOperation
SHA-512
SHA-384
SHA-256
SHA-224
SHA-1
DES3
AES
./sscep: SCEP_OPERATION_GETCRL
./sscep: requesting crl
./sscep: request data dump
./sscep: data payload size: 69 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 682 bytes
./sscep: creating outer PKCS#7
./sscep: PKCS#7 data written successfully
./sscep: payload size: 3154 bytes
./sscep: connecting to demo.openxpki.org:80
./sscep: server response status code: 500, MIME header: text/html
./sscep: wrong (or missing) MIME content type
./sscep: error while sending message
==> /var/log/openxpki/scep.log <==
2024/08/08 15:30:26 ERR Unexpected response from backend
[pid=21283|ep=generic]
I get 500 as response for getcrl, getnextca, getcert, but getca and
enroll work!
Any more ideas? getca and enroll are the the most needed functions,
but it would be great if the remaining functions would work too.
Best,
-ap
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
