Hello Fabian,
thanks for sharing - can you perhaps help us to understand what
certmonger expects on a pending request or is this just not foreseen in
the protocol? If anything is set up correctly, OpenXPKI will send an
SCEP PENDING request as layed out in the RFCs. As RFC and
implementations are somewhat "fuzzy" in some aspects this might just be
a wrong or missing item in the response we can easily fix once we know =)
The enrollment workflow and its operational modes are explained in very
detail in the online help:
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html.
One of the common pitfalls with renewal requests is, that OpenXPKI
expects the DN of the new CSR to fully match the DN of the old
certificate - we often see that the incoming CSRs are done with the
"original" client configuration which often has only a CN or differing
RDN components so the equality check fails an the workflow moves from
"renewal" to "onbehalf" mode (removing the authorized_signer deactivates
the onbehalf mode so it goes into a regular initial issuance when the
renewal condition is not met).
So long story short - to fix the renewal, either make sure that
certmonger generates a CSR with a full matching DN or relax the equality
condition to match the CN only. In the community edition this requires a
change of the condition in the global workflow config in
workflow/def/certificate_enroll.yaml.
Oli
On 17.10.24 11:57, Fabian Brandmüller via OpenXPKI-users wrote:
I finally managed to set up OpenXPKI with Docker and Certmonger to
automatically retrieve and renew certificates. For anyone who wants
the same setup, I’ll share my experiences.
First, I downloaded the Docker repository and initialized the config
folder with make init. Before deploying the containers, I had to
change a few configurations:
1. *Increase the maximum Transaction ID*: OpenXPKI's default
transaction ID is 64. It seems Certmonger is exceeding the limit,
so I increased it to 77, as suggested in a previous conversation
<https://sourceforge.net/p/openxpki/mailman/message/37607223/>.
The file that needs to be changed can be found under
//openxpki-config/config.d/realm.tpl/workflow/global/field/transaction_id.yaml/.
2. *Enable auto-approval*: After requesting a certificate with
Certmonger, the request moves to the state PENDING and awaits
approval by an admin. Apparently, OpenXPKI sends a message that
Certmonger cannot read. Therefore, the request gets stuck in the
state CA_UNREACHABLE. As a workaround, I enabled auto-approval, as
explained in the official documentation
<https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/enroll.html#test-drive-insecure>
(file to change:
//openxpki-config/config.d/realm.tpl/scep/generic.yaml/).
3. *Remove authorized signer rules*: When trying to renew a
certificate, Certmonger gets stuck in the state CA_UNREACHABLE
again. On the OpenXPKI side, I found that Certmonger is not
allowed to renew a certificate by default. I solved this problem
by commenting out the authorized_signer block in the same config
file as above.
After I deployed the containers (make compose) and executed the sample
config, I could successfully retrieve and renew certificates with
Certmonger using the default endpoint and secret:
* *Endpoint*: http://<ca-host>:8080/scep/generic
<http://%3cca-host%3e:8080/scep/generic>
* *Secret*: SecretChallenge
I hope this instruction will help some of you get OpenXPKI working
with Certmonger.
Best regards,
Fabian
*Von:*Fabian Brandmüller
*Gesendet:* Freitag, 20. September 2024 17:17
*An:* openxpki-users@lists.sourceforge.net
*Cc:* Andreas Zingel <andreas.zin...@eviden.com>
*Betreff:* Certmonger does not retrieve certificate after approval
from openxpki server
Hello everyone,
I´m currently trying to setup an automated certificate process with
SCEP. For this I´m using certmonger (version 0.79.17)on Debian
Bookworm as client and OpenXPKI as CA. I deployed OpenXPKI with the
latest docker and used the provided sample config (change added as
described in mail
https://sourceforge.net/p/openxpki/mailman/message/37607223/). So far,
I successfully send a request to the server which is waiting for
manual approval. But certmonger doesn´t retrieve the certificate after
approval.
The configuration of certmonger is as following:
*Adding new CA in certmonger:*
root@vbox:~/cert-storage# getcert add-scep-ca -c openxpki-docker -u
http://192.168.178.103:8080/scep/generic
New CA "openxpki-docker" added.
root@vbox:~/cert-storage# getcert list-cas
…
CA 'openxpki-docker':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/certmonger/scep-submit -u
http://192.168.178.103:8080/scep/generic
SCEP CA certificate thumbprint (MD5): ECEA4F44 874BCC22
91A6DEFB 8282C80F
SCEP CA certificate thumbprint (SHA1): 8FAF290A
7583C3D2 063C80C1 3E34D1F0 1E8F730A
*Request certificate:*
root@vbox:~/cert-storage# getcert request -I docker-cert -c
openxpki-docker -N cn=example.com -k
/root/cert-storage/docker-cert-key.pem -f
/root/cert-storage/docker-cert.pem -L SecretChallenge -v
New signing request "docker-cert" added.
root@vbox:~/cert-storage# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'docker-cert':
status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server
response. error:1080007A:PKCS7 routines::no content
stuck: no
key pair storage:
type=FILE,location='/root/cert-storage/docker-cert-key.pem'
certificate:
type=FILE,location='/root/cert-storage/docker-cert.pem'
signing request thumbprint (MD5): FAACEAF1 5332FCAB
F406285E F44BE192
signing request thumbprint (SHA1): 4024DD5C ACC40F26
7066B473 9963FCD0 CD798DBA
CA: openxpki-docker
issuer:
subject:
issued: unknown
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Unfortunately, I am stuck at this point. Do I miss any important
configuration on the server, so the response can be read by
certmonger? Is it possible to auto-approve the request?
Thank you very much for your help in advance!
Best regards,
Fabian
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
