Re: [OpenXPKI-users] Notification stopped for enroll_approval_pending

Thu, 03 Oct 2024 11:54:08 -0700 

Hello,

I finally discovered the issue I’m facing, and I’d like to share it with you 
while asking for help.

It seems that the problem is related to HMAC when requesting certificate 
enrollment via SCEP.

Previously, the Openxpki system worked as follows: All certificate enrollment 
requests would enter the PENDING state, and the operator would receive an email 
notifying them of the PENDING enrollment request. Only after logging into the 
OpenXPKI web interface and approving the request would the certificate be 
generated.

However, for some reason (I say, "some reason" because no certificates or 
parameters were changed), the "Enrollment Request PENDING" email is no longer 
being sent, and the certificate enrollment now goes directly to the 
MANUAL_AUTHORIZATION state. This means operators are unaware of when they need 
to approve a certificate.

After some testing and reviewing the certificate_enroll.yaml file, I modified 
the VALIDATE_HMAC section. Specifically, I changed global_noop > AUTHORIZED ? 
is_valid_hmac to global_noop > AUTHORIZED ? !is_valid_hmac and commented out 
the line #global_noop2 > CHECK_CHALLENGE_PASSWORD ? !is_valid_hmac.

Here’s the modified section:


VALIDATE_HMAC:
    autorun: 1
    action:
      - global_noop > AUTHORIZED ? !is_valid_hmac
        # - global_noop2 > CHECK_CHALLENGE_PASSWORD ? !is_valid_hmac


This change revealed that there is an issue with HMAC authentication, but I’m 
unsure how to proceed with the investigation.

Could you assist me?

Thank you,
Frederico



-----Original Message-----
From: Andreas Piesk via OpenXPKI-users <openxpki-users@lists.sourceforge.net>
Sent: Wednesday, September 25, 2024 4:23 PM
To: openxpki-users@lists.sourceforge.net
Cc: Andreas Piesk <a.pi...@mailbox.org>
Subject: Re: [OpenXPKI-users] Notification stopped for enroll_approval_pending

Am 25.09.24 um 15:09 schrieb Frederico Aranha Pimentel | CarMedialab via 
OpenXPKI-users:
>
> Anyone can help here?
>

Not really. Just a shot in the dark, locale is set to UTF-8?

It seems, the file read at execution time contains no valid UTF-8. Try to find 
out the filename, either by running openxpki in debug mode or by temporarily 
inserting some print statements. if you have the filename, go backwards, where 
does the file come from and what is its content?

Best,
-ap



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
  • [OpenXPKI-users... Frederico Aranha Pimentel | CarMedialab via OpenXPKI-users
    • Re: [OpenX... Frederico Aranha Pimentel | CarMedialab via OpenXPKI-users
      • Re: [O... Martin Bartosch via OpenXPKI-users
      • Re: [O... Andreas Piesk via OpenXPKI-users
        • Re... Frederico Aranha Pimentel | CarMedialab via OpenXPKI-users
          • ... Frederico Aranha Pimentel | CarMedialab via OpenXPKI-users
            • ... Martin Bartosch via OpenXPKI-users
              • ... Oliver Welter

Reply via email to