Re: [OpenXPKI-users] Sscep problem

2024-02-06 Thread Oliver Welter 

Hi Ali,

please uprade to v3.28.2 (see recent message) - this will fix the issue.

Oliver

On 05.02.24 14:24, Ali Danakiran wrote:

Hey,
Thanks for your help.
I have now changed it and now I get the certificates displayed via 
WebGui under My Tasks but via CLI it still says Failure and I still 
have error logs. Where can I define signers?


Workflows.log:
2024/02/05 07:19:42 8703 Rendering subject: CN=scep-server,DC=Test 
Deployment,DC=OpenXPKI,DC=org

2024/02/05 07:19:42 8703 Trusted Signer chain - certificate is self signed
2024/02/05 07:19:42 8703 Trusted Signer not found in trust list 
(CN=scep-server,O=MyOrg,ST=MyState,C=XX).
2024/02/05 07:19:43 8703 Eligibility check for 
scep.generic.eligible.initial failed
2024/02/05 07:19:43 8703 Trigger notification message 
enroll_approval_pending


catchcall.log:
2024/02/05 07:19:38openxpki.auth.INFO Login 
successful (user: Anonymous, role: System) 
[pid=63279|sid=+U/i|pki_realm=test]
2024/02/05 07:19:39openxpki.auth.INFO Login 
successful (user: Anonymous, role: System) 
[pid=63281|sid=L1yv|pki_realm=test]
2024/02/05 07:19:42openxpki.application.INFO 
Rendering subject: 
CN=scep-server,DC=Test Deployment,DC=OpenXPKI,DC=org 
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:42openxpki.application.INFO 
Trusted Signer chain - certificate 
is self signed 
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:42openxpki.application.INFO 
Trusted Signer not found in trust 
list (CN=scep-server,O=MyOrg,ST=MyState,C=XX). 
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:43openxpki.application.INFO 
Eligibility check for 
scep.generic.eligible.initial failed 
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:43openxpki.application.INFO 
Trigger notification message 
enroll_approval_pending 
[pid=63281|user=Anonymous|role=System|sid=L1yv|wftype=certificate_enroll|wfid=8703|pki_realm=test]
2024/02/05 07:19:52openxpki.application.INFO 
Purged 1 expired sessions 
[pid=63109|sid=Qzi3|pki_realm=test]
2024/02/05 07:20:34openxpki.auth.INFO Login 
successful (user: Anonymous, role: System) 
[pid=63287|sid=JXPx|pki_realm=test]
2024/02/05 07:24:57openxpki.application.INFO 
Purged 3 expired sessions 
[pid=63109|sid=Qzi3|pki_realm=test]


scep.log:
024/02/05 07:19:44 INF Request Pending - PENDING [pid=61645|ep=generic]
2024/02/05 07:19:44 INF Send pending response for 
459BA147BDD0E5DEFD7225A843EBD7B5 [pid=61645|ep=generic]

2024/02/05 07:19:44 INF Disconnect client [pid=61645|ep=generic]
2024/02/05 07:20:35 ERR Unable to parse PKCS10: decode: decode error 
06<=>30 4 8 certificationRequestInfo at 
/usr/share/perl5/Convert/ASN1/_decode.pm line 117.
Cannot handle input or missing ASN.1 definitions at 
/usr/share/perl5/Crypt/PKCS10.pm line 756.
  Crypt::PKCS10::_new(undef, undef, undef, "ignoreNonBase64", 1, 
"verifySignature", 1) called at /usr/share/perl5/Crypt/PKCS10.pm line 607

  eval {...} called at /usr/share/perl5/Crypt/PKCS10.pm line 604
  Crypt::PKCS10::new("Crypt::PKCS10", 
"0\x{82}\x{8}\x{c7}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{2}\x{a0}\x{82}\x{8}\x{b8}0\x{82}\x{8}\x{b4}\x{2}\x{1}\x{1}1\x{f}0\x{d}\x{6}\x{9}`\x{86}H\x{1}e\x{3}\x{4}\x{2}\x{3}\x{5}\x{0}0\x{82}\x{2}\x{e6}\x{6}\x{9}*\x{86}H\x{86}\x{f7}\x{d}\x{1}\x{7}\x{1}\x{a0}\x{82}\x{2}"..., 
"ignoreNonBase64", 1, "verifySignature", 1) called at 
/usr/share/perl5/OpenXPKI/Client/Service/Base.pm line 185
  OpenXPKI::Client::Service::Base::handle_enrollment_request(OpenXPKI::Client::Service::SCEP=HASH(0x5649357e2b68), 
CGI::Fast=HASH(0x564932fb3278)) called at /usr/lib/cgi-bin/scepv3.fcgi 
line 100

 [pid=61645|ep=generic]
2024/02/05 07:20:35 WAR Client error / malformed request badRequest 
[pid=61645|ep=generic]

2024/02/05 07:20:36 INF Disconnect client [pid=61645|ep=generic]



Oliver Welter  schrieb am Mo. 5. Feb. 2024 um 11:51:

Hi Ali,

you need to define a policy file matching the name of the used
endpoint. The endpoint is the later part of the used URL, so
"scep" in your case and so must be the name of the policy file in
config.d/realm/democa/scep. The default configuration ships a file
named "generic.yaml", so your URL should be /scep/generic to match
this file. We have changed the "fallback" behaviour in this point
with the switch to the new SCEP login two releases ago, so old
examples are likely no longer working with the stock config, I
would therefore

[OpenXPKI-users] Bugfix Release v3.28.2

2024-02-06 Thread Oliver Welter 

Dear OpenXPKI Fellows,

as the broken implementation for GetCertInitial seems to affect more 
users than expected, we have backported the fix and released a new 
package v3.28.2 today. The docker container is also updated.


Thanks to Andreas Steffen for the report and detailed analysis.

best regards

Oliver

--
Protect your environment -  close windows and adopt a penguin!



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] openxpkiadm Unable to access table 'certificate'

2024-02-06 Thread Sergei Vyshenski 

James ,

Seems you make a number of strange moves.

Move 1. You create pg-user "openxpki" at pg-server without a password. 
Even if later you configure openxpki server with some password for this 
pg-user, ANY password (including empty password) will be accepted for 
any operation on behalf of this pg-user, which seems likea security hole.


Move 2. You load a schema (thus creating tables) as a pg-superuser 
(postgres); later you try to access these tables as a regular pg-user 
openxpki, which should not work.


Move 3. When you run "sudo --user=openxpki openxpkiadm ...", note then 
here you refer to a system-user, not to pg-user of the same name.


Your particular error should be gone if you import schema as pg-user 
"openxpki":


psql --username openxpki openxpki < 
/usr/local/share/examples/openxpki/config/contrib/sql/schema-psql.sql


But further revision of your moves is recommended.

Regards, Sergei

On 6 Feb 24 Tue 21:21, James B. Byrne via OpenXPKI-users wrote:

PostgreSQL-16
FreeBSd-13.2p9

I am trying to setup openxpki using PostgreSQL as the data store.  After
installing both postgresql16 and openxpki I completed the following steps
successfully using psql:

psql -U postgres -d postgres

CREATE USER openxpki;

CREATE DATABASE openxpki;

GRANT ALL PRIVILEGES ON DATABASE openxpki TO openxpki;

I altered config.d/system/database.yaml

 type: PostgreSQL
 name: openxpki
 user: openxpki
 passwd: openxpki

I checked for local connections in /var/db/postgres/data16/pg_hba.conf:

local   all all trust

I successfully loaded the openxpki schema for postgresql:

psql --username postgres  openxpki <
/usr/local/share/examples/openxpki/config/contrib/sql/schema-psql.sql

I created the vault key and certificate and moved them to
/usr/local/etc/openxpki/local/keys.

I then tried to load these into openxpki using openxpkiadm. This fails with a
databse permissions error:

sudo --user=openxpki openxpkiadm certificate import --file
/usr/local/etc/openxpki/local/keys/vault.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.
Starting import
2024/02/06 13:20:33 Database error: execution of SQL query failed;
__dbi_error__ => ERROR:  permission denied for table certificate, __dsn__ =>
dbi:Pg:database=openxpki;sslmode=allow, __query__ => SELECT identifier,
pki_realm, status, req_key FROM certificate WHERE ( identifier = ? ) LIMIT ?
OFFSET ?, __source__ => DBD::Pg::st::execute, __user__ => openxpki
Database error: execution of SQL query failed
__dsn__: dbi:Pg:database=openxpki;sslmode=allow
__dbi_error__: ERROR:  permission denied for table certificate
__user__: openxpki
__source__: DBD::Pg::st::execute
__query__: SELECT identifier, pki_realm, status, req_key FROM certificate
WHERE ( identifier = ? ) LIMIT ? OFFSET ?

It also fails for both root and postgres users.

What step have I missed?





___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] openxpkiadm Unable to access table 'certificate'

2024-02-06 Thread James B. Byrne via OpenXPKI-users 
On Tue, February 6, 2024 13:29, Lixin Liu wrote:
> Hi James,
>
> I am using "peer" instead of "trust" in my pg_hba.conf. You may want to try
> this.
>

Thanks, but changing this made no difference.

Regards,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] openxpkiadm Unable to access table 'certificate'

2024-02-06 Thread Lixin Liu 
Hi James,

I am using "peer" instead of "trust" in my pg_hba.conf. You may want to try 
this.

Cheers,

Lixin.

On 2024-02-06, 10:21 AM, "James B. Byrne via OpenXPKI-users" 
mailto:openxpki-users@lists.sourceforge.net>> wrote:


PostgreSQL-16
FreeBSd-13.2p9


I am trying to setup openxpki using PostgreSQL as the data store. After
installing both postgresql16 and openxpki I completed the following steps
successfully using psql:


psql -U postgres -d postgres


CREATE USER openxpki;


CREATE DATABASE openxpki;


GRANT ALL PRIVILEGES ON DATABASE openxpki TO openxpki;


I altered config.d/system/database.yaml


type: PostgreSQL
name: openxpki
user: openxpki
passwd: openxpki


I checked for local connections in /var/db/postgres/data16/pg_hba.conf:


local all all trust


I successfully loaded the openxpki schema for postgresql:


psql --username postgres openxpki <
/usr/local/share/examples/openxpki/config/contrib/sql/schema-psql.sql


I created the vault key and certificate and moved them to
/usr/local/etc/openxpki/local/keys.


I then tried to load these into openxpki using openxpkiadm. This fails with a
databse permissions error:


sudo --user=openxpki openxpkiadm certificate import --file
/usr/local/etc/openxpki/local/keys/vault.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.
Starting import
2024/02/06 13:20:33 Database error: execution of SQL query failed;
__dbi_error__ => ERROR: permission denied for table certificate, __dsn__ =>
dbi:Pg:database=openxpki;sslmode=allow, __query__ => SELECT identifier,
pki_realm, status, req_key FROM certificate WHERE ( identifier = ? ) LIMIT ?
OFFSET ?, __source__ => DBD::Pg::st::execute, __user__ => openxpki
Database error: execution of SQL query failed
__dsn__: dbi:Pg:database=openxpki;sslmode=allow
__dbi_error__: ERROR: permission denied for table certificate
__user__: openxpki
__source__: DBD::Pg::st::execute
__query__: SELECT identifier, pki_realm, status, req_key FROM certificate
WHERE ( identifier = ? ) LIMIT ? OFFSET ?


It also fails for both root and postgres users.


What step have I missed?


-- 
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail


James B. Byrne mailto:byrn...@harte-lyne.ca 
Harte & Lyne Limited http://www.harte-lyne.ca 
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3






___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net 

https://lists.sourceforge.net/lists/listinfo/openxpki-users 





___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] openxpkiadm Unable to access table 'certificate'

2024-02-06 Thread James B. Byrne via OpenXPKI-users 
PostgreSQL-16
FreeBSd-13.2p9

I am trying to setup openxpki using PostgreSQL as the data store.  After
installing both postgresql16 and openxpki I completed the following steps
successfully using psql:

psql -U postgres -d postgres

CREATE USER openxpki;

CREATE DATABASE openxpki;

GRANT ALL PRIVILEGES ON DATABASE openxpki TO openxpki;

I altered config.d/system/database.yaml

type: PostgreSQL
name: openxpki
user: openxpki
passwd: openxpki

I checked for local connections in /var/db/postgres/data16/pg_hba.conf:

local   all all trust

I successfully loaded the openxpki schema for postgresql:

psql --username postgres  openxpki <
/usr/local/share/examples/openxpki/config/contrib/sql/schema-psql.sql

I created the vault key and certificate and moved them to
/usr/local/etc/openxpki/local/keys.

I then tried to load these into openxpki using openxpkiadm. This fails with a
databse permissions error:

sudo --user=openxpki openxpkiadm certificate import --file
/usr/local/etc/openxpki/local/keys/vault.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.
Starting import
2024/02/06 13:20:33 Database error: execution of SQL query failed;
__dbi_error__ => ERROR:  permission denied for table certificate, __dsn__ =>
dbi:Pg:database=openxpki;sslmode=allow, __query__ => SELECT identifier,
pki_realm, status, req_key FROM certificate WHERE ( identifier = ? ) LIMIT ?
OFFSET ?, __source__ => DBD::Pg::st::execute, __user__ => openxpki
Database error: execution of SQL query failed
   __dsn__: dbi:Pg:database=openxpki;sslmode=allow
   __dbi_error__: ERROR:  permission denied for table certificate
   __user__: openxpki
   __source__: DBD::Pg::st::execute
   __query__: SELECT identifier, pki_realm, status, req_key FROM certificate
WHERE ( identifier = ? ) LIMIT ? OFFSET ?

It also fails for both root and postgres users.

What step have I missed?

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users