Hi, > Your suggestion, of replacing the secret with 64 chars, seems to correct > the issue, but I run into another problem, where the workflow execution fails > and keep retrying. See the LOGs below: > openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/workflows.log > 2025/08/14 01:34:37 511 NICE issueCertificate failed but pause_on_error is > requested > 2025/08/14 01:34:37 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:41:09 > 2025/08/14 01:41:13 511 start cert issue for serial 255, workflow 511 > 2025/08/14 01:41:13 511 NICE backend error: Could not find token alias by > group; __group__ => ca-signer, __noafter__ => 1786642873, __notbefore__ => > 1755106873, __pki_realm__ => democa > 2025/08/14 01:41:13 511 NICE issueCertificate failed but pause_on_error is > requested > 2025/08/14 01:41:13 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:46:54 > 2025/08/14 01:46:59 511 start cert issue for serial 255, workflow 511 > 2025/08/14 01:46:59 511 NICE backend error: Could not find token alias by > group; __group__ => ca-signer, __noafter__ => 1786643219, __notbefore__ => > 1755107219, __pki_realm__ => democa > 2025/08/14 01:46:59 511 NICE issueCertificate failed but pause_on_error is > requested > 2025/08/14 01:46:59 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:50:49 > openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/openxpki.log > "OpenXPKI::Crypto::API" requires that the reference isa > OpenXPKI::Crypto::API > The reference (in $_[1]) isa Moose::Object and > OpenXPKI::Crypto::Token::Vault > [pid=1138|sid=Wbeh] > 2025/08/14 01:28:31 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786642111, __notbefore__ => 1755106111, > __pki_realm__ => democa [pid=1887|sid=Wbeh] > 2025/08/14 01:31:37 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786642297, __notbefore__ => 1755106297, > __pki_realm__ => democa [pid=2132|sid=Mzrd] > 2025/08/14 01:34:37 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786642477, __notbefore__ => 1755106477, > __pki_realm__ => democa [pid=2374|sid=Mzrd] > 2025/08/14 01:41:13 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786642873, __notbefore__ => 1755106873, > __pki_realm__ => democa [pid=2904|sid=Mzrd] > 2025/08/14 01:46:59 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786643219, __notbefore__ => 1755107219, > __pki_realm__ => democa [pid=3360|sid=Mzrd] > 2025/08/14 01:50:50 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786643450, __notbefore__ => 1755107450, > __pki_realm__ => democa [pid=3677|sid=Mzrd] > 2025/08/14 01:54:41 ERROR Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1786643681, __notbefore__ => 1755107681, > __pki_realm__ => democa [pid=3981|sid=Mzrd]
You are trying to issue certificates with a validity of one year with a signer that is not capable of doing so (because it expires earlier than that). In other words, your PKI is not properly maintained, and it has now reached a state where it cannot operate properly any longer. You should have performed a CA rollover earlier to maintain operational capability. Your options now are - perform the CA rollover (better late than never) - reduce the validity of end entity certificates so they fit in the remaining CA validity Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
