Re: [OpenXPKI-users] sending request to 'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' did not receive a valid SCEP response: HTTP 500

Thu, 01 May 2025 23:14:09 -0700 

Hi Ed,
max_certs is just an integer used in a "less than" comparison so there is no restriction on the technical side (as long as it fits into an interger :D). 


But I really suggest to not set an "infinte" value to prevent unlimited 
reissuance to devices going havoc.


Oliver

On 01.05.25 23:25, Jean-Baptiste, Edwige via OpenXPKI-users wrote:


Hi Oliver,


    I thought “max certs” only allowed 0 or 1, you mentioned 
increasing that value, what is the max I can set it to?


Thanks,

Ed

*From:*Oliver Welter <m...@oliwel.de>
*Sent:* Wednesday, April 23, 2025 9:59 AM
*To:* openxpki-users@lists.sourceforge.net

*Subject:* Re: [OpenXPKI-users] sending request to 
'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation' 
did not receive a valid SCEP response: HTTP 500



*CAUTION*: This message originated from an External Source outside of 
CommScope.com. This may be a phishing email that can result in 
unauthorized access to CommScope. Please use caution when opening 
attachments, clicking links, scanning QR codes, or responding. You can 
report suspicious emails directly in Microsoft Outlook.


Hi Ed,


the renewal window is defined in the endpoint configuration 
(realm/yourca/scep/generic.yaml) - set it to the max validity or any 
larger value AND raise the number of "max certs" in the policy section 
as renewal will also not work if there are too many active certs.


Oliver

On 21.04.25 23:39, Jean-Baptiste, Edwige via OpenXPKI-users wrote:

    Hi Oliver,

        I got more information, see the log below:

    2025/04/21 21:28:53 DEB Calling context is plain HTTP
    [pid=71|server=generic|endpoint=generic]

    2025/04/21 21:28:53 DEB Adding extra parameters for message type
    'PKCSReq' [pid=71|endpoint=generic|server=generic]

    2025/04/21 21:28:53 DEB Pickup via attribute: transaction_id =
    CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76
    
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]

    2025/04/21 21:28:53 DEB Initialize workflow 'certificate_enroll'
    with parameters: pkcs10, interface, _url_params, transaction_id,
    server, signer_cert
    
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]

    2025/04/21 21:28:54 DEB Workflow "certificate_enroll" created: id
    #4351, state "FAILURE"
    
[pid=71|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic|endpoint=generic]

    2025/04/21 21:28:54 DEB HTTP status: [400 Request was rejected:
    I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW]
    
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]

    2025/04/21 21:28:54 ERR Request was rejected:
    I18N_OPENXPKI_UI_ENROLLMENT_ERROR_NOT_IN_RENEWAL_WINDOW
    
[pid=71|endpoint=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|server=generic]

    2025/04/21 21:28:54 WAR Client error / malformed request:
    badRequest (internal code: 40006)
    
[pid=71|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76|endpoint=generic]

    2025/04/21 21:28:54 DEB Disconnect client
    
[pid=71|endpoint=generic|server=generic|tid=CC1D637C9CE0D6E06BC3FB3860A388294ABA3D76]

    root@ee1e62ccd150:/var/log/openxpki#

    Where can I allow in the configuration a renewal within any
    window, meaning any interval within the life of the certificate.

    Thanks,

    Ed

    *From:*Oliver Welter <m...@oliwel.de> <mailto:m...@oliwel.de>
    *Sent:* Sunday, April 20, 2025 2:17 AM
    *To:* openxpki-users@lists.sourceforge.net
    *Subject:* Re: [OpenXPKI-users] sending request to
    'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation'
    did not receive a valid SCEP response: HTTP 500

    *CAUTION*: This message originated from an External Source outside
    of CommScope.com. This may be a phishing email that can result in
    unauthorized access to CommScope. Please use caution when opening
    attachments, clicking links, scanning QR codes, or responding. You
    can report suspicious emails directly in Microsoft Outlook.

    Hi Ed,

    OpenXPKI does not like the PKCS10 request it gets - can you
    perhaps dump the payload and share it with us (or raise loglevel
    in OpenXPKI to grab it from the logs).

    Oliver

    On 17.04.25 00:57, Jean-Baptiste, Edwige via OpenXPKI-users wrote:

        HI,

        I am trying to renew a certificate using the “—cert and –key”
        of the old certificate. I got an error, I am not quite sure
        why that is. Can someone help me out. Enrollment works fine.

        This is my PKI command:

        pki --scep --url
        http://[fd00:90:2690::135]:8080/scep/generic/pkiclient
        --cacert-enc /fdsk/scep/RA_CERT.pem --cacert-sig
        /fdsk/scep/CA_CERT-1.pem --cacert /fdsk/scep/CA_CERT.pem --in
        /fdsk/scep/vccap136-5-1Key.pem --san ad...@commscope.com --dn
        "C=US, ST=MA, L=Lowell, O=CommScope, OU=VCCAP,
        CN=ad...@commscope.com" --cert /fdsk/scep/old/vccap136-5-1.crt
        --key /fdsk/scep/old/vccap136-5-1Key.pem --password edwigejb
        --maxpolltime 120 --outform pem > /fdsk/scep/vccap136-5-1.crt

        I got this log in the debug response:

        builder L0 CRED_CONTAINER - PKCS7_SIGNED_DATA of plugin 'pkcs7'

        builder L1 CRED_CONTAINER - PKCS7_DATA of plugin 'pkcs7'

        sending scep request to
        'http://[fd00:90:2690::135]:8080/scep/generic'

          sending request to
        'http://[fd00:90:2690::135]:8080/scep/generic?operation=PKIOperation'...

        did not receive a valid SCEP response: HTTP 500

        croot@vccap136-5:/fdsk/scep#

        This is my SCEP.log

        2025/04/16 22:35:30 INF Input validation failed
        [pid=79|ep=generic]

        2025/04/16 22:35:30 INF Failed fields: pkcs10 [pid=79|ep=generic]

        2025/04/16 22:35:30 ERR Missing or invalid parameters:
        I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID

        [pid=79|ep=generic]

        2025/04/16 22:35:30 WAR Client error / malformed request:
        badRequest (internal code: 40004) [pid=79|ep=generic]

        2025/04/16 22:36:09 INF SCEP handler initialized
        [pid=80|ep=[undef]]

        2025/04/16 22:36:10 ERR
        I18N_OPENXPKI_UI_VALIDATOR_FIELD_TYPE_INVALID

        Thanks,

        Ed





        _______________________________________________

        OpenXPKI-users mailing list

        OpenXPKI-users@lists.sourceforge.net

        https://lists.sourceforge.net/lists/listinfo/openxpki-users


    -- 


    Protect your environment -  close windows and adopt a penguin!




    _______________________________________________

    OpenXPKI-users mailing list

    OpenXPKI-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/openxpki-users

--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to