Re: [OpenXPKI-users] sending request to 'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' did not receive a valid SCEP response: HTTP 500

Wed, 23 Apr 2025 07:02:53 -0700 

Hi Ed,
the renewal window is defined in the endpoint configuration (realm/yourca/scep/generic.yaml) - set it to the max validity or any larger value AND raise the number of "max certs" in the policy section as renewal will also not work if there are too many active certs. 

Oliver

On 21.04.25 23:39, Jean-Baptiste, Edwige via OpenXPKI-users wrote:


Hi Oliver,

    I got more information, see the log below:


2025/04/21 21:28:53 DEB Calling context is plain HTTP 
[pid=71|server=generic|endpoint=generic]



2025/04/21 21:28:53 DEB Adding extra parameters for message type 
'PKCSReq' [pid=71|endpoint=generic|server=generic]



2025/04/21 21:28:53 DEB Pickup via attribute: transaction_id = 
CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76 
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]



2025/04/21 21:28:53 DEB Initialize workflow 'certificate_enroll' with 
parameters: pkcs10, interface, _url_params, transaction_id, server, 
signer_cert 
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]



2025/04/21 21:28:54 DEB Workflow "certificate_enroll" created: id 
#4351, state "FAILURE" 
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]



2025/04/21 21:28:54 DEB HTTP status: [400 Request was rejected: 
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW] 
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]



2025/04/21 21:28:54 ERR Request was rejected: 
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW 
[pid=71|endpoint=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic]



2025/04/21 21:28:54 WAR Client error / malformed request: badRequest 
(internal code: 40006) 
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]



2025/04/21 21:28:54 DEB Disconnect client 
[pid=71|endpoint=generic|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76]


root@ee1e62ccd150:/var/log/openxpki#


Where can I allow in the configuration a renewal within any window, 
meaning any interval within the life of the certificate.


Thanks,

Ed

*From:*Oliver Welter <m...@oliwel.de>
*Sent:* Sunday, April 20, 2025 2:17 AM
*To:* openxpki-users@lists.sourceforge.net

*Subject:* Re: [OpenXPKI-users] sending request to 
'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' 
did not receive a valid SCEP response: HTTP 500



*CAUTION*: This message originated from an External Source outside of 
CommScope.com. This may be a phishing email that can result in 
unauthorized access to CommScope. Please use caution when opening 
attachments, clicking links, scanning QR codes, or responding. You can 
report suspicious emails directly in Microsoft Outlook.


Hi Ed,


OpenXPKI does not like the PKCS10 request it gets - can you perhaps 
dump the payload and share it with us (or raise loglevel in OpenXPKI 
to grab it from the logs).


Oliver

On 17.04.25 00:57, Jean-Baptiste, Edwige via OpenXPKI-users wrote:

    HI,

    I am trying to renew a certificate using the “—cert and –key” of
    the old certificate. I got an error, I am not quite sure why that
    is. Can someone help me out. Enrollment works fine.

    This is my PKI command:

    pki --scep --url
    http://[fd00:90:2690::135]:8080/scep/generic/pkiclient
    --cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig
    /fdsk/scep/CA_CERT-1.pem --cacert /fdsk/scep/CA_CERT.pem --in
    /fdsk/scep/vccap136-5-1Key.pem --san ad...@commscope.com --dn
    "C=US, ST=MA, L=Lowell, O=CommScope, OU=VCCAP,
    CN=ad...@commscope.com" --cert /fdsk/scep/old/vccap136-5-1.crt
    --key /fdsk/scep/old/vccap136-5-1Key.pem --password edwigejb
    --maxpolltime 120 --outform pem > /fdsk/scep/vccap136-5-1.crt

    I got this log in the debug response:

    builder L0 CRED_CONTAINER - PKCS7_SIGNED_DATA of plugin 'pkcs7'

    builder L1 CRED_CONTAINER - PKCS7_DATA of plugin 'pkcs7'

    sending scep request to 'http://[fd00:90:2690::135]:8080/scep/generic'

      sending request to
    'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation'...

    did not receive a valid SCEP response: HTTP 500

    croot@vccap136-5:/fdsk/scep#

    This is my SCEP.log

    2025/04/16 22:35:30 INF Input validation failed [pid=79|ep=generic]

    2025/04/16 22:35:30 INF Failed fields: pkcs10 [pid=79|ep=generic]

    2025/04/16 22:35:30 ERR Missing or invalid parameters:
    I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID

    [pid=79|ep=generic]

    2025/04/16 22:35:30 WAR Client error / malformed request:
    badRequest (internal code: 40004) [pid=79|ep=generic]

    2025/04/16 22:36:09 INF SCEP handler initialized [pid=80|ep=[undef]]

    2025/04/16 22:36:10 ERR I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID

    Thanks,

    Ed




    _______________________________________________

    OpenXPKI-users mailing list

    OpenXPKI-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/openxpki-users

--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to