Hi Oliver,
I thought "max certs" only allowed 0 or 1, you mentioned increasing that
value, what is the max I can set it to?
Thanks,
Ed
From: Oliver Welter <m...@oliwel.de>
Sent: Wednesday, April 23, 2025 9:59 AM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] sending request to
'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' did not
receive a valid SCEP response: HTTP 500
CAUTION: This message originated from an External Source outside of
CommScope.com. This may be a phishing email that can result in unauthorized
access to CommScope. Please use caution when opening attachments, clicking
links, scanning QR codes, or responding. You can report suspicious emails
directly in Microsoft Outlook.
Hi Ed,
the renewal window is defined in the endpoint configuration
(realm/yourca/scep/generic.yaml) - set it to the max validity or any larger
value AND raise the number of "max certs" in the policy section as renewal will
also not work if there are too many active certs.
Oliver
On 21.04.25 23:39, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
Hi Oliver,
I got more information, see the log below:
2025/04/21 21:28:53 DEB Calling context is plain HTTP
[pid=71|server=generic|endpoint=generic]
2025/04/21 21:28:53 DEB Adding extra parameters for message type 'PKCSReq'
[pid=71|endpoint=generic|server=generic]
2025/04/21 21:28:53 DEB Pickup via attribute: transaction_id =
CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]
2025/04/21 21:28:53 DEB Initialize workflow 'certificate_enroll' with
parameters: pkcs10, interface, _url_params, transaction_id, server, signer_cert
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]
2025/04/21 21:28:54 DEB Workflow "certificate_enroll" created: id #4351, state
"FAILURE"
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]
2025/04/21 21:28:54 DEB HTTP status: [400 Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW]
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]
2025/04/21 21:28:54 ERR Request was rejected:
I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW
[pid=71|endpoint=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic]
2025/04/21 21:28:54 WAR Client error / malformed request: badRequest (internal
code: 40006)
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]
2025/04/21 21:28:54 DEB Disconnect client
[pid=71|endpoint=generic|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76]
root@ee1e62ccd150:/var/log/openxpki#
Where can I allow in the configuration a renewal within any window, meaning any
interval within the life of the certificate.
Thanks,
Ed
From: Oliver Welter <m...@oliwel.de><mailto:m...@oliwel.de>
Sent: Sunday, April 20, 2025 2:17 AM
To:
openxpki-users@lists.sourceforge.net<mailto:openxpki-users@lists.sourceforge.net>
Subject: Re: [OpenXPKI-users] sending request to
'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' did not
receive a valid SCEP response: HTTP 500
CAUTION: This message originated from an External Source outside of
CommScope.com. This may be a phishing email that can result in unauthorized
access to CommScope. Please use caution when opening attachments, clicking
links, scanning QR codes, or responding. You can report suspicious emails
directly in Microsoft Outlook.
Hi Ed,
OpenXPKI does not like the PKCS10 request it gets - can you perhaps dump the
payload and share it with us (or raise loglevel in OpenXPKI to grab it from the
logs).
Oliver
On 17.04.25 00:57, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
HI,
I am trying to renew a certificate using the "-cert and -key" of the old
certificate. I got an error, I am not quite sure why that is. Can someone help
me out. Enrollment works fine.
This is my PKI command:
pki --scep --url http://[fd00:90:2690::135]:8080/scep/generic/pkiclient
--cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig /fdsk/scep/CA_CERT-1.pem
--cacert /fdsk/scep/CA_CERT.pem --in /fdsk/scep/vccap136-5-1Key.pem --san
ad...@commscope.com<mailto:ad...@commscope.com> --dn "C=US, ST=MA, L=Lowell,
O=CommScope, OU=VCCAP, CN=ad...@commscope.com<mailto:CN=ad...@commscope.com>"
--cert /fdsk/scep/old/vccap136-5-1.crt --key /fdsk/scep/old/vccap136-5-1Key.pem
--password edwigejb --maxpolltime 120 --outform pem >
/fdsk/scep/vccap136-5-1.crt
I got this log in the debug response:
builder L0 CRED_CONTAINER - PKCS7_SIGNED_DATA of plugin 'pkcs7'
builder L1 CRED_CONTAINER - PKCS7_DATA of plugin 'pkcs7'
sending scep request to 'http://[fd00:90:2690::135]:8080/scep/generic'
sending request to
'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation'...
did not receive a valid SCEP response: HTTP 500
croot@vccap136-5:/fdsk/scep#
This is my SCEP.log
2025/04/16 22:35:30 INF Input validation failed [pid=79|ep=generic]
2025/04/16 22:35:30 INF Failed fields: pkcs10 [pid=79|ep=generic]
2025/04/16 22:35:30 ERR Missing or invalid parameters:
I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID
[pid=79|ep=generic]
2025/04/16 22:35:30 WAR Client error / malformed request: badRequest (internal
code: 40004) [pid=79|ep=generic]
2025/04/16 22:36:09 INF SCEP handler initialized [pid=80|ep=[undef]]
2025/04/16 22:36:10 ERR I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID
Thanks,
Ed
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
