HI Martin, You mentioned: >You are trying to issue certificates with a validity of one year with a signer >that is not capable of doing >so (because it expires earlier than that). >In other words, your PKI is not properly maintained, and it has now reached a >state where it cannot >operate properly any longer. You should have performed >a CA rollover earlier to maintain operational >capability.
>Your options now are >- perform the CA rollover (better late than never) >- reduce the validity of end entity certificates so they fit in the remaining >CA validity I don't think CA rollover is possible at this stage, where I am trying to bring the openXpki system up for the first time, during a new install. Is it something I can fix by modifying the scep endpoint YAML file? Your help is very much appreciated, Thanks, Ed -----Original Message----- From: Martin Bartosch <vc-...@cynops.de> Sent: Wednesday, August 13, 2025 5:31 PM To: Martin Bartosch via OpenXPKI-users <openxpki-users@lists.sourceforge.net> Cc: Jean-Baptiste, Edwige <edwige.jean-bapti...@commscope.com> Subject: Re: [OpenXPKI-users] Error while installing OpenXPKI (Community Edition v3.32.0), and testing the WebUI (with user alice) CAUTION: This message originated from an External Source outside of CommScope.com. This may be a phishing email that can result in unauthorized access to CommScope. Please use caution when opening attachments, clicking links, scanning QR codes, or responding. You can report suspicious emails directly in Microsoft Outlook. Hi, > Your suggestion, of replacing the secret with 64 chars, seems to correct > the issue, but I run into another problem, where the workflow execution fails > and keep retrying. See the LOGs below: > openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/workflows.log > 2025/08/14 01:34:37 511 NICE issueCertificate failed but > pause_on_error is requested > 2025/08/14 01:34:37 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:41:09 > 2025/08/14 01:41:13 511 start cert issue for serial 255, workflow 511 > 2025/08/14 01:41:13 511 NICE backend error: Could not find token alias > by group; __group__ => ca-signer, __noafter__ => 1786642873, > __notbefore__ => 1755106873, __pki_realm__ => democa > 2025/08/14 01:41:13 511 NICE issueCertificate failed but > pause_on_error is requested > 2025/08/14 01:41:13 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:46:54 > 2025/08/14 01:46:59 511 start cert issue for serial 255, workflow 511 > 2025/08/14 01:46:59 511 NICE backend error: Could not find token alias > by group; __group__ => ca-signer, __noafter__ => 1786643219, > __notbefore__ => 1755107219, __pki_realm__ => democa > 2025/08/14 01:46:59 511 NICE issueCertificate failed but > pause_on_error is requested > 2025/08/14 01:46:59 511 Action 'global_nice_issue_certificate' paused > (I18N_OPENXPKI_UI_NICE_BACKEND_ERROR), wakeup 2025-08-13T17:50:49 > openxpki@0f29cbd7bca9:/var/log$ tail -f openxpki-server/openxpki.log > "OpenXPKI::Crypto::API" requires that the reference isa > OpenXPKI::Crypto::API > The reference (in $_[1]) isa Moose::Object and > OpenXPKI::Crypto::Token::Vault [pid=1138|sid=Wbeh] > 2025/08/14 01:28:31 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786642111, __notbefore__ => > 1755106111, __pki_realm__ => democa [pid=1887|sid=Wbeh] > 2025/08/14 01:31:37 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786642297, __notbefore__ => > 1755106297, __pki_realm__ => democa [pid=2132|sid=Mzrd] > 2025/08/14 01:34:37 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786642477, __notbefore__ => > 1755106477, __pki_realm__ => democa [pid=2374|sid=Mzrd] > 2025/08/14 01:41:13 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786642873, __notbefore__ => > 1755106873, __pki_realm__ => democa [pid=2904|sid=Mzrd] > 2025/08/14 01:46:59 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786643219, __notbefore__ => > 1755107219, __pki_realm__ => democa [pid=3360|sid=Mzrd] > 2025/08/14 01:50:50 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786643450, __notbefore__ => > 1755107450, __pki_realm__ => democa [pid=3677|sid=Mzrd] > 2025/08/14 01:54:41 ERROR Could not find token alias by group; > __group__ => ca-signer, __noafter__ => 1786643681, __notbefore__ => > 1755107681, __pki_realm__ => democa [pid=3981|sid=Mzrd] You are trying to issue certificates with a validity of one year with a signer that is not capable of doing so (because it expires earlier than that). In other words, your PKI is not properly maintained, and it has now reached a state where it cannot operate properly any longer. You should have performed a CA rollover earlier to maintain operational capability. Your options now are - perform the CA rollover (better late than never) - reduce the validity of end entity certificates so they fit in the remaining CA validity Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
