Re: [OpenXPKI-users] SCEP enrollment - Operator approval workflow not working

Wed, 30 Jul 2025 16:11:19 -0700 

Hello Oiver.

Right on spot! Everything seems to be working fine for scep, thanks!
I'll soon create a PR to provide pt_BR translation ( Just checking if overall translation make sense before creating PR ) 

I'll create new e-mails for further questions




On 30/07/2025 01:56, Oliver Welter wrote:


Hello Mauricio,
the recommended version is 3.32 but as you have already noted we did some major rework especially on the frontend layer (see release notes).
The problem here is an accidential but incomplete takeover of enterprise config to the community tree which lets the pickup fail. Fortunately the solution is quite simple - just remove the "pickup" node from the SCEP configuration at client.d/service/scep/generic.yaml 

best regards

Oliver

On 30.07.25 02:04, Mauricio Silveira via OpenXPKI-users wrote:


Updating:
I just tried v.38 of the docker compose and openxpki-config, and it worked well, even being able to resume enrollment.
I tried using the scep/generic.yaml from v3.8 in v3.32 and had the same results as v.3.32 - FAIL 

I tried downgrading some versions for a quick test:
openxpki v3.24(v3.8 git checkout) + config v3.24 WORKS ( container images were versioned by me ) 


So, up to now, v3.8 and v3.24, SCEP works with default sampleconfig.
Is there a recommended version of OpenXPKI at the moment? It looks like there's lots of changes from v3.8 to v3.32 ... some refactoring/improvements ? 



On 29/07/2025 18:35, Mauricio Silveira via OpenXPKI-users wrote:


Hi there.
After much digging into the web, docs, etc, I guess I managed to go forward in getting OpenXPKI working... ( tough task )... 

I'm now stuck at SCEP testing.
I'm using the Docker images ( v3.32 ), everything seems fine ( I even managed to get oxi client working with the key )...
But SCEP enrollment only works when I set approval_points: 0 in scep/generic.yaml ( I'm able to request and renew ), but when approval_points is set to 1, and perform operator approval ( rob test account ) , it simply doesn't work. 


With approval_points: 0

mauricio@localhost:/tmp/sscep$ ./sscep enroll 
-uhttp://192.168.11.11:8080/scep/generic -k sceptmp/scep-test.key -r 
sceptmp/scep-test.csr -c sceptmp/cacert-0 -l sceptmp/scep-test.crt -t 20 -T100 
-n 10
./sscep: sending certificate request
./sscep: valid response from server
./sscep: reply transaction id: 03D56226186C56BE8BB3D5978A0AE009
./sscep: pkistatus: SUCCESS


With approval_points: 1

mauricio@localhost:/tmp/sscep$ ./sscep enroll 
-uhttp://192.168.11.11:8080/scep/generic -k sceptmp/scep-test.key -r 
sceptmp/scep-test.csr -c sceptmp/cacert-0 -l sceptmp/scep-test.crt -t 20 -T100 
-n 10
./sscep: sending certificate request
./sscep: valid response from server
./sscep: reply transaction id: 778E2DFF5E20DCC07539E9C293D09192
./sscep: pkistatus: PENDING
./sscep: requesting certificate (#1)
./sscep: valid response from server
./sscep: reply transaction id: 778E2DFF5E20DCC07539E9C293D09192
./sscep: pkistatus: FAILURE
./sscep: reason: No certificate could be identified matching



LOGS from server container:

With approval_points: 0

==> openxpki.log <==
2025/07/29 17:21:08 INFO Login successful (user: Anonymous, role: System) 
[pid=630|sid=TOiz]
2025/07/29 17:21:08 INFO Login successful (user: Anonymous, role: System) 
[pid=631|sid=rhNq]
==> catchall.log <==
2025/07/29 17:21:08 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=630|sid=TOiz]
2025/07/29 17:21:08 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Rendering subject: 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Trusted Signer chain - 
certificate is self signed [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Trusted Signer not found in trust 
list (CN=device-seat-02). [pid=631|sid=rhNq]
2025/07/29 17:21:09 openxpki.application.INFO Eligibility check for 
scep.generic.eligible.initial failed [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO persisted csr for 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 3583 
[pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO start cert issue for serial 3583, 
workflow 8191 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Certificate 
CN=device-seat-02,DC=Test Deployment,DC=OpenXPKI,DC=org 
(66109798994132440681422) issued by ca-signer-1 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.cakey.INFO certificate 
signedHASH(0x5b46adbbdee8) [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.entity.INFO certificate 
issuedHASH(0x5b46adbbe938) [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Certificate metadata 'entity': 
append (set) 'device-seat-02' [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.application.INFO Trigger notification message 
enroll_cert_issued [pid=631|sid=rhNq]
==> workflows.log <==
2025/07/29 17:21:09 8191 Rendering subject: CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org
2025/07/29 17:21:09 8191 Trusted Signer chain - certificate is self signed
2025/07/29 17:21:09 8191 Trusted Signer not found in trust list 
(CN=device-seat-02).
2025/07/29 17:21:09 8191 Eligibility check for scep.generic.eligible.initial 
failed
2025/07/29 17:21:10 8191 persisted csr for CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org with csr_serial 3583
2025/07/29 17:21:10 8191 start cert issue for serial 3583, workflow 8191
2025/07/29 17:21:10 8191 Certificate CN=device-seat-02,DC=Test 
Deployment,DC=OpenXPKI,DC=org (66109798994132440681422) issued by ca-signer-1
2025/07/29 17:21:10 8191 Certificate metadata 'entity': append (set) 
'device-seat-02'
2025/07/29 17:21:10 8191 Trigger notification message enroll_cert_issued
==> audit.log <==
2025/07/29 17:21:10 openxpki.audit.cakey.INFO certificate 
signed|cakey=E8:85:99:80:A1:40:02:6F:08:D3:75:C1:4A:F5:22:F1:49:16:65:88|certid=YDJUnKvpJPAlnGak39_Evrbtrag|key=7A:BD:78:3B:76:9D:3C:8B:89:07:B7:03:47:3A:E7:01:7A:7B:72:D7|pki_realm=democa
 [pid=631|sid=rhNq]
2025/07/29 17:21:10 openxpki.audit.entity.INFO certificate 
issued|certid=YDJUnKvpJPAlnGak39_Evrbtrag|key=7A:BD:78:3B:76:9D:3C:8B:89:07:B7:03:47:3A:E7:01:7A:7B:72:D7|pki_realm=democa
 [pid=631|sid=rhNq]



With approval_points: 1

#After starting sscep enroll

==> openxpki.log <==
2025/07/29 18:11:22 INFO Login successful (user: Anonymous, role: System) 
[pid=572|sid=X+nx]
2025/07/29 18:11:22 INFO Login successful (user: Anonymous, role: System) 
[pid=573|sid=J2kQ]
==> catchall.log <==
2025/07/29 18:11:22 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=572|sid=X+nx]
2025/07/29 18:11:22 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Rendering subject: 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trusted Signer chain - 
certificate is self signed [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trusted Signer not found in trust 
list (unstructuredName=pkiclient,CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org). [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO validate challenge using compare 
validated [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Eligibility check for 
scep.generic.eligible.initial failed [pid=573|sid=J2kQ]
2025/07/29 18:11:23 openxpki.application.INFO Trigger notification message 
enroll_approval_pending [pid=573|sid=J2kQ]
==> workflows.log <==
2025/07/29 18:11:23 14591 Rendering subject: CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org
2025/07/29 18:11:23 14591 Trusted Signer chain - certificate is self signed
2025/07/29 18:11:23 14591 Trusted Signer not found in trust list 
(unstructuredName=pkiclient,CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org).
2025/07/29 18:11:23 14591 validate challenge using compare validated
2025/07/29 18:11:23 14591 Eligibility check for scep.generic.eligible.initial 
failed
2025/07/29 18:11:23 14591 Trigger notification message enroll_approval_pending


#AFTER OPERATOR APPROVAL:

==> workflows.log <==

2025/07/29 18:11:34 14591 Unsigned approval for workflow 14591 by user rob, 
role RA Operator
2025/07/29 18:11:34 14591 Approval points for workflow #14591: 1
2025/07/29 18:11:34 14591 persisted csr for CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org with csr_serial 7423
2025/07/29 18:11:34 14591 start cert issue for serial 7423, workflow 14591
2025/07/29 18:11:35 14591 Certificate CN=device-seat-12,DC=Test 
Deployment,DC=OpenXPKI,DC=org (136932346016803674230380) issued by ca-signer-1
2025/07/29 18:11:35 14591 Certificate metadata 'entity': append (set) 
'device-seat-12'
2025/07/29 18:11:35 14591 Trigger notification message enroll_cert_issued
==> catchall.log <==
2025/07/29 18:11:34 openxpki.application.INFO Unsigned approval for workflow 
14591 by user rob, role RA Operator [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.audit.approval.INFO operator approval 
givenHASH(0x5e36a9f73b38) [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO Approval points for workflow 
#14591: 1 [pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO persisted csr for 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org with csr_serial 7423 
[pid=586|sid=W+s1]
2025/07/29 18:11:34 openxpki.application.INFO start cert issue for serial 7423, 
workflow 14591 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Certificate 
CN=device-seat-12,DC=Test Deployment,DC=OpenXPKI,DC=org 
(136932346016803674230380) issued by ca-signer-1 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.cakey.INFO certificate 
signedHASH(0x5e36aa595c20) [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.entity.INFO certificate 
issuedHASH(0x5e36aa430570) [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Certificate metadata 'entity': 
append (set) 'device-seat-12' [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.application.INFO Trigger notification message 
enroll_cert_issued [pid=586|sid=W+s1]
2025/07/29 18:11:44 openxpki.auth.INFO Login successful (user: Anonymous, role: 
System) [pid=606|sid=tHA5]
==> audit.log <==
2025/07/29 18:11:34 openxpki.audit.approval.INFO operator approval 
given|role=RA Operator|user=rob|wfid=14591 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.cakey.INFO certificate 
signed|cakey=E8:85:99:80:A1:40:02:6F:08:D3:75:C1:4A:F5:22:F1:49:16:65:88|certid=TJQd6d7e7UYeBXXL8ts7iIQyqHw|key=00:37:48:7B:DD:03:57:AC:30:B0:69:A7:58:16:E6:80:3F:4F:3D:EF|pki_realm=democa
 [pid=586|sid=W+s1]
2025/07/29 18:11:35 openxpki.audit.entity.INFO certificate 
issued|certid=TJQd6d7e7UYeBXXL8ts7iIQyqHw|key=00:37:48:7B:DD:03:57:AC:30:B0:69:A7:58:16:E6:80:3F:4F:3D:EF|pki_realm=democa
 [pid=586|sid=W+s1]
==> openxpki.log <==
2025/07/29 18:11:44 INFO Login successful (user: Anonymous, role: System) 
[pid=606|sid=tHA5]
So... what am I possibly missing? Is there any way to enable more verbosity in the server container ? 


Thanks!




_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to