Hi Oliver,

    Your suggestion, of replacing the secret with 64 chars, seems to correct 
the issue, but I run into another problem, where the workflow execution fails 
and keep retrying. See the LOGs below:

openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/workflows.log
2025/08/14 01:34:37 511 NICE issueCertificate failed but pause_on_error is 
requested
2025/08/14 01:34:37 511 Action 'global_nice_issue_certificate' paused 
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:41:09
2025/08/14 01:41:13 511 start cert issue for serial 255, workflow 511
2025/08/14 01:41:13 511 NICE backend error: Could not find token alias by 
group; __group__ => ca-signer, __noafter__ => 1786642873, __notbefore__ => 
1755106873, __pki_realm__ => democa
2025/08/14 01:41:13 511 NICE issueCertificate failed but pause_on_error is 
requested
2025/08/14 01:41:13 511 Action 'global_nice_issue_certificate' paused 
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:46:54
2025/08/14 01:46:59 511 start cert issue for serial 255, workflow 511
2025/08/14 01:46:59 511 NICE backend error: Could not find token alias by 
group; __group__ => ca-signer, __noafter__ => 1786643219, __notbefore__ => 
1755107219, __pki_realm__ => democa
2025/08/14 01:46:59 511 NICE issueCertificate failed but pause_on_error is 
requested
2025/08/14 01:46:59 511 Action 'global_nice_issue_certificate' paused 
(I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:50:49


openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/openxpki.log
    "OpenXPKI::Crypto::API" requires that the reference isa 
OpenXPKI::Crypto::API
    The reference (in $_[1]) isa Moose::Object and 
OpenXPKI::Crypto::Token::Vault
[pid=1138|sid=Wbeh]
2025/08/14 01:28:31 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786642111, __notbefore__ => 1755106111, 
__pki_realm__ => democa [pid=1887|sid=Wbeh]
2025/08/14 01:31:37 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786642297, __notbefore__ => 1755106297, 
__pki_realm__ => democa [pid=2132|sid=Mzrd]
2025/08/14 01:34:37 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786642477, __notbefore__ => 1755106477, 
__pki_realm__ => democa [pid=2374|sid=Mzrd]
2025/08/14 01:41:13 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786642873, __notbefore__ => 1755106873, 
__pki_realm__ => democa [pid=2904|sid=Mzrd]
2025/08/14 01:46:59 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786643219, __notbefore__ => 1755107219, 
__pki_realm__ => democa [pid=3360|sid=Mzrd]
2025/08/14 01:50:50 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786643450, __notbefore__ => 1755107450, 
__pki_realm__ => democa [pid=3677|sid=Mzrd]
2025/08/14 01:54:41 ERROR Could not find token alias by group; __group__ => 
ca-signer, __noafter__ => 1786643681, __notbefore__ => 1755107681, 
__pki_realm__ => democa [pid=3981|sid=Mzrd]


Also do you know why the "make sample-config" fails, as described in my first 
email.

Thanks,
Ed



From: Oliver Welter <m...@oliwel.de>
Sent: Wednesday, August 13, 2025 9:21 AM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] Error while installing OpenXPKI (Community 
Edition v3.32.0), and testing the WebUI (with user alice)


CAUTION: This message originated from an External Source outside of 
CommScope.com. This may be a phishing email that can result in unauthorized 
access to CommScope. Please use caution when opening attachments, clicking 
links, scanning QR codes, or responding. You can report suspicious emails 
directly in Microsoft Outlook.



Hello Ed,

the WebUI session issue is described in the README of the docker repo.

Regarding the Vault token - the problem is the provided secret in the example 
config, the string in system/crypto.yaml must be 64 characters long, I 
accidentially missed one character in the repo :(

Oliver

On 12.08.25 22:16, Jean-Baptiste, Edwige via OpenXPKI-users wrote:
Hi,
    I encounter few issues while installing the latest OpenXPKI (Community 
Edition v3.32.0), I followed the instruction steps by steps. See below for the 
problem descriptions. This is a fresh install (not an upgrade), I had to 
upgrade Docker and Docker-compose on the system before I started the install.


  1.  At first I couldn't connect to the WebUI due to the error below from the 
page:

"The webserver did not return the expected data.
Possible causes: OpenXPKI client is not running; authentication session has 
expired; an internal error.
HTTP code: 500"



I was able to get further by modifying the the WebUI file with the a different 
DB user/password: "openxpki-config/client.d/service/webui/default.yaml"



I replaced this:

    User: openxpki_session

    Password: mysecret



With this:

User: openxpki

Password: openxpki



  1.  After resolving the issue above, I was able to access the WebUI, and log 
in as "alice", but in the process of generating the RSA Key, I got this error:

"This workflow was interrupted by an unexpected event, it will not continue 
without a manual interaction. Please contact the support team!
Last Update
2025-08-12 19:04:15 UTC
Failed Action
global_store_pkey_in_datapool"

WEBUI.log indicates the following:

openxpkiclient@cf7bea636378:/var/log$ tail -f openxpki-client/webui.log
2025/08/12 19:00:35 INF Run 'csr_edit_cert_info' on workflow #255 
[rid=5I_OocalVhrM|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:01:55 INF Incoming request: action 
'workflow!select!wf_action!csr_submit!wf_id!255' 
[rid=KpH5p9Kn9fW-|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:01:55 INF Handle action 
'workflow!select!wf_action!csr_submit!wf_id!255' 
[rid=KpH5p9Kn9fW-|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Incoming request: action 'workflow' 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Handle action 'workflow' 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|pid=9|name=alice]
2025/08/12 19:04:13 INF Run 'csr_retype_server_password' on workflow #255 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR Command 'execute_workflow_activity' failed (ERROR) 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 ERR workflow acton failed! 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]
2025/08/12 19:04:15 INF Handle page 'workflow!load' 
[rid=uaGFcJVcOdvR|role=User|sid=1ac9|ssid=t5sz|ep=default|wfid=255|pid=9|name=alice]



OPENXPKI-SERVER LOGs:

openxpki@087f53771df1:/var/log$ tail -f openxpki-server/openxpki.log
2025/08/13 02:54:08 INFO Login successful (user: alice, role: User) 
[pid=7776|sid=t5sz]
2025/08/13 03:04:15 ERROR Vault requires a 256 bit length secret value encoded 
in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572 
[pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR Workflow 
255/certificate_signing_request_v2/KEY_GENERATED_CSR_GENERATE_PKCS10_0 uncaught 
exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; 
__ACTION__ => global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 
bit length secret value encoded in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__ 
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 ERROR Error executing workflow activity 
"csr_retype_server_password" on workflow id #255 (type 
"certificate_signing_request_v2"): 
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ => 
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length 
secret value encoded in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__ 
=> Workflow::Exception [pid=8579|sid=t5sz]


WORKFLOWS LOGs:

openxpki@087f53771df1:/var/log$ cat openxpki-server/workflows.log
2025/08/13 03:00:36 255 Rendering subject: CN=lai.wenglang:ocsp,DC=Test 
Deployment,DC=OpenXPKI,DC=org
openxpki@087f53771df1:/var/log$

CATCHALL LOGs:

openxpki@087f53771df1:/var/log$ cat openxpki-server/catchall.log
2025/08/13 02:54:08 openxpki.auth.INFO Login successful (user: alice, role: 
User) [pid=7776|sid=t5sz]
2025/08/13 02:58:41 openxpki.application.INFO Purged 59 expired sessions 
[pid=22|sid=eLKt]
2025/08/13 03:00:36 openxpki.application.INFO Rendering subject: 
CN=lai.wenglang:ocsp,DC=Test Deployment,DC=OpenXPKI,DC=org [pid=8286|sid=t5sz]
2025/08/13 03:03:46 openxpki.application.INFO Purged 58 expired sessions 
[pid=22|sid=eLKt]
2025/08/13 03:04:13 openxpki.audit.key.INFO generating private 
keyHASH(0x55de7a4a17a0) [pid=8579|sid=t5sz]
2025/08/13 03:04:14 openxpki.audit.key.INFO generating private 
keyHASH(0x55de7a64e558) [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.system.ERROR Vault requires a 256 bit length 
secret value encoded in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572 
[pid=8579|sid=t5sz]
2025/08/13 03:04:15 
OpenXPKI.Server.Workflow.Activity.Tools.Datapool.SetEntry.ERROR workflow_error 
exception thrown from 
[OpenXPKI::Server::Workflow::Activity::Tools::Datapool::SetEntry: 72; before: 
Workflow: 123]: Vault requires a 256 bit length secret value encoded in 64 
uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572 
[pid=8579|sid=t5sz]
2025/08/13 03:04:15 OpenXPKI.Server.Workflow.ERROR Caught exception from 
action: Vault requires a 256 bit length secret value encoded in 64 uppercase 
hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572; reset workflow 
to old state 'KEY_GENERATED_CSR_GENERATE_PKCS10_0' [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.workflow.ERROR Workflow 
255/certificate_signing_request_v2/KEY_GENERATED_CSR_GENERATE_PKCS10_0 uncaught 
exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.system.ERROR 
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ => 
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length 
secret value encoded in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__ 
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:04:15 openxpki.workflow.ERROR Error executing workflow activity 
"csr_retype_server_password" on workflow id #255 (type 
"certificate_signing_request_v2"): 
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ => 
global_store_pkey_in_datapool, __ERROR__ => Vault requires a 256 bit length 
secret value encoded in 64 uppercase hex characters - is 
6F70656E78706B6969736D796661766F72697465747275737463656E746572, __EXCEPTION__ 
=> Workflow::Exception [pid=8579|sid=t5sz]
2025/08/13 03:08:47 openxpki.application.INFO Purged 63 expired sessions 
[pid=22|sid=eLKt]
2025/08/13 03:13:52 openxpki.application.INFO Purged 59 expired sessions 
[pid=22|sid=eLKt]



  1.  Sample-Config also fails, but I ran it multiple times, could that be a 
problem?

[root@autosmoke openxpki-docker]# make sample-config
docker compose exec -u root  -it server /etc/openxpki/contrib/sampleconfig.sh
Fully automated sample setup using tmpdir /tmp/tmp.ckpVoJuApQ
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Successfully wrote alias:
  Alias     : ca-signer-7
  Identifier: TXaycrvaO3p0grmq2gGIHUHlT7A
  NotBefore : 2025-08-12 20:02:32
  NotAfter  : 2035-08-15 20:02:32


Token is certsign, looking for root...
Creating alias for root ca:
  Alias     : root-7
  Identifier: TXaycrvaO3p0grmq2gGIHUHlT7A
  NotBefore : 2025-08-12 20:02:32
  NotAfter  : 2035-08-15 20:02:32

make: *** [sample-config] Error 1



Could you help me figure this out?


Thanks,
Ed





_______________________________________________

OpenXPKI-users mailing list

OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/openxpki-users



--

Protect your environment -  close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to