Hi Andreas, I have found the same and as Oliver already mentioned, this has been broken for a long time. What I did to solve this issue was to use the information in the certificate itself. You can get the URL of the CRL from the certificate with a very simple script. The URL from the certificate came from the configuration specifically config.d/realm.tpl/profile/default.yaml.
You could put a valid value there and all the generated certificates would have that URL where you can download the CRL. Best regards, Jairo R. Mejia Aponte | Embedded Software Linux Junior Engineer Netmodule | Hirschmann Automation & Control GmbH Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany jairo.mejiaapo...@belden.com<mailto:jairo.mejiaapo...@belden.com> | www.netmodule.com<http://www.netmodule.com/> | www.belden.com<http://www.belden.com/> ________________________________ From: Oliver Welter <m...@oliwel.de> Sent: 11 August 2024 12:31 PM To: openxpki-users@lists.sourceforge.net <openxpki-users@lists.sourceforge.net> Subject: [EXTERNAL] Re: [OpenXPKI-users] SSCEP and OpenKPKI Demosite External Message:Use caution before opening links or attachments Hi Andreas, GetCert and GetCRL were broken for a long time in ssecp and as we have never seen this in use by any of our customers we did not really pay much attention to this, if I run your command here I get this additional line as debug output > sscep: requesting crl for serial number 209895355816480542039969897678004233525935668162 and issuer /CN=oxi-ce-demo.rackport.net:scep-ra and this is wrong - I did not check the serial but the issuer is definitely not the RA certificate (history explains this "bug" as when SCEP was invented this was running on embeded systems with only one certificate as RA/CA). I agree that it should not end up in a 500 error but this is simply explained by the fact that we are currently moving to a new error handling strategy and not all edge cases have been handled. I would assume that you get a correct answer when you provide a correct request :) Oliver On 08.08.24 17:02, Andreas Piesk via OpenXPKI-users wrote: > Am 08.08.24 um 09:56 schrieb Martin Bartosch: >> Hi, >> >>>> I tried scep getcrl against the demosite but it didn't work: >>>> abc.crt and abc.key have been generated on demo.openxpki.org >>>> beforehand. >>>> root@pki:~/sscep-0.10.0# openssl x509 -noout -subject -in CA.pem-0 >>>> subject=CN = oxi-ce-demo.rackport.net:scep-ra >>>> root@pki:~/sscep-0.10.0# ./sscep getcrl -u >>>> https://urldefense.com/v3/__http://demo.openxpki.org/scep/test__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2jMHRaYM$ >>>> -c CA.pem-0 -l abc.crt -w bla -k >>>> abc.key -v >> >>> I guess, "Unable to serialize HASH" is the real issue. Any hints >>> what went wrong? >> >> On our demo.openxpki.org >> <https://urldefense.com/v3/__http://demo.openxpki.org/__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2jquVwzx$ >> > the SCEP server >> is configured to listen at >> https://urldefense.com/v3/__http://demo.openxpki.org/scep/generic__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2kPH_f2l$ >> . The >> same is true for an unmodified setup from our community config >> repository. >> > > Uh, stupid mistake of mine, sorry, I warned you, I may ask stupid > questions ;-) > > Unfortunately I get the same response from > https://urldefense.com/v3/__http://demo.openxpki.org/scep/generic__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2kPH_f2l$ > > $ ./sscep getcrl -u > https://urldefense.com/v3/__http://demo.openxpki.org/scep/generic__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2kPH_f2l$ > -c CA-0 -l > sceptest1.crt -w bla -k sceptest1.key -v > ./sscep: starting sscep, version 0.10.0 > ./sscep: new transaction > ./sscep: transaction id: SSCEP transactionId > ./sscep: hostname: demo.openxpki.org > ./sscep: directory: scep/generic > ./sscep: port: 80 > ./sscep: SCEP_OPERATION_GETCAPS > ./sscep: connecting to demo.openxpki.org:80 > ./sscep: server response status code: 200, MIME header: text/plain > Renewal > POSTPKIOperation > SHA-512 > SHA-384 > SHA-256 > SHA-224 > SHA-1 > DES3 > AES > ./sscep: SCEP_OPERATION_GETCRL > ./sscep: requesting crl > ./sscep: request data dump > ./sscep: data payload size: 69 bytes > ./sscep: successfully encrypted payload > ./sscep: envelope size: 682 bytes > ./sscep: creating outer PKCS#7 > ./sscep: PKCS#7 data written successfully > ./sscep: payload size: 3154 bytes > ./sscep: connecting to demo.openxpki.org:80 > ./sscep: server response status code: 500, MIME header: text/html > ./sscep: wrong (or missing) MIME content type > ./sscep: error while sending message > > ==> /var/log/openxpki/scep.log <== > 2024/08/08 15:30:26 ERR Unexpected response from backend > [pid=21283|ep=generic] > > I get 500 as response for getcrl, getnextca, getcert, but getca and > enroll work! > > Any more ideas? getca and enroll are the the most needed functions, > but it would be great if the remaining functions would work too. > > > Best, > -ap > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/openxpki-users__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2qgeiLBT$ > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/openxpki-users__;!!Fpyg6SJIkmElPg!zbHL3RZjCClCnjGj0CBsRHlo-ysfn3xfBtpgk4fvuHh7CBEteHWFmCq9W7TZoLIM0VkvFbokV4kH2qgeiLBT$ ********************************************************************** DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
