Re: [OpenXPKI-users] Missing index.html
Check the permissions of the full path/folder and check if it s a real file or a (broken) symlink On 22.02.24 22:08, James B. Byrne via OpenXPKI-users wrote: I see this in the ssl error log: [Thu Feb 22 16:02:49.970150 2024] [fcgid:warn] [pid 58293] [client 192.168.216.89:58932] mod_fcgid: stderr: [Thu Feb 22 16:02:49 2024] webui.fcgi: Can't open config file '/usr/local/etc/openxpki/webui/default.conf' (permission denied) at /usr/local/lib/perl5/site_perl/OpenXPKI/Client/Config.pm line 327., referer: https://192.168.216.89/openxpki/ ll /usr/local/etc/openxpki/webui/ total 6 -rw-r--r-- 1 root wheel 4729 Feb 13 14:19 default.conf I do not see any permissions difference from: ll /usr/local/share/examples/openxpki/config/webui total 6 -rw-r--r-- 1 root wheel 4729 Jan 8 08:05 default.conf What is the permissions problem? Thanks, -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
I see this in the ssl error log: [Thu Feb 22 16:02:49.970150 2024] [fcgid:warn] [pid 58293] [client 192.168.216.89:58932] mod_fcgid: stderr: [Thu Feb 22 16:02:49 2024] webui.fcgi: Can't open config file '/usr/local/etc/openxpki/webui/default.conf' (permission denied) at /usr/local/lib/perl5/site_perl/OpenXPKI/Client/Config.pm line 327., referer: https://192.168.216.89/openxpki/ ll /usr/local/etc/openxpki/webui/ total 6 -rw-r--r-- 1 root wheel 4729 Feb 13 14:19 default.conf I do not see any permissions difference from: ll /usr/local/share/examples/openxpki/config/webui total 6 -rw-r--r-- 1 root wheel 4729 Jan 8 08:05 default.conf What is the permissions problem? Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
Ok. I have discovered that mod_fcgid was not loaded, not withstanding the report by apachectl. Having added the necessary LoadModule statement in httpd.conf, ensuring that it follows the Loadmodule mod_unixd statement, and restarting Apache I now have a new error: I18N_OPENXPKI_UI_APPLICATION_ERROR locale says this: locale LANG=C.UTF-8 LC_CTYPE="C.UTF-8" LC_COLLATE="C.UTF-8" LC_TIME="C.UTF-8" LC_NUMERIC="C.UTF-8" LC_MONETARY="C.UTF-8" LC_MESSAGES="C.UTF-8" LC_ALL= Quickstart guide says this: . . . Settings about filesystem, daemon and services to start. Located at system.server os related stuff i18n locale settings: i18n: locale_directory: path to the gettext locales on your system default_language: supported locale (e.g. en_US.utf8) Location of the locale files and the default language used. If you set another language than C, make sure you have the correct po-files installed, otherwise OpenXPKI wont even start! This usually only affects logging and system messages as most of the client related output uses the locale settings from the client session. We recommend using C as default. . . . /usr/local/etc/openxpki/config.d/system/server.yaml says this: # settings for i18n i18n: locale_directory: /usr/share/locale default_language: C And /usr/share/locale contains, among many others, this: ll /usr/share/locale total 2113 drwxr-xr-x 2 root wheel 3 Dec 2 2021 C.UTF-8 . . . Suggestions? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
Hi James On 22.02.24 18:37, James B. Byrne via OpenXPKI-users wrote: 192.168.216.89 - - [22/Feb/2024:12:17:17 -0500] "GET /openxpki/cgi-bin/webui.fcgi?page=welcome=top&_=1708622237008 HTTP/1.1" 200 10717"https://192.168.216.89/openxpki/; "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" This line says that the result from the initial page call is a 200 but the site is quite to large IMHO - so I suspect that Martins statement is right and you are not executing the CGI script but seeing the source code. Please open the Firefox Developer Console (F12), go to the network tab and check what you get back from this call. It should be a JSON structure and not perl code. If it is perl, check if you have the CGI stuff enabled for the directory, etc... ... and if you guys get this working, we would appreciate a pull request on the config repo with a working apache config or at least a README how to get things changed. Oliver -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
On Thu, February 22, 2024 11:30, Martin Bartosch wrote: > Hi, > >> I have discovered that my literal reading of README.md and the Quickstart >> guide >> led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to >> /var/local/www/openxpki/ whereas it appears that I instead should have copied >> the contents thereof. This I have now done and I get a different error. >> >> I now see the openxpki logo on a grey page with the following error message >> box: >> >> Application Error >> >> [ >> "There was an error while processing the data received from the server: ", >> {} >> ] >> >> This probably means that I have misconfigured, or failed to configure >> something >> else. >> >> Any clues as to what that may be? > > Is mod_fcgid enabled in Apache? Check if the fcgi scripts are actually > executed, if mod_fcgid is not enabled you will see the raw output of the CGI > script in the development console or your browser. apachectl -t -D DUMP_MODULES | grep fastcgi fastcgi_module (shared) I think that error message is likely the raw output of the CGI script. > > Check the web server error log file for hints. > > If fcgi is enabled, check the web server log files, typically at > /var/log/openxpki/webui.log, you should see log messages there. > If none are to be seen, I stopped apache, emptied the log files, restarted apache, and navigated to openxpki. These are all of the log entries created. cat /var/log/httpd/apache24/openxpki/openxpki-3_ssl_error.log [Thu Feb 22 12:17:11.627936 2024] [ssl:warn] [pid 52215] AH01909: openxpki.hamilton.harte-lyne.ca:443:0 server certificate does NOT include an ID which matches the server name [Thu Feb 22 12:17:11.634189 2024] [ssl:warn] [pid 52216] AH01909: openxpki.hamilton.harte-lyne.ca:443:0 server certificate does NOT include an ID which matches the server name cat /var/log/httpd/apache24/main/main_no_io_access.log 192.168.216.89 - - [22/Feb/2024:12:17:16 -0500] "GET /openxpki/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" 192.168.216.89 - - [22/Feb/2024:12:17:17 -0500] "GET /openxpki/localconfig.yaml HTTP/1.1" 404 196 "https://192.168.216.89/openxpki/; "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" 192.168.216.89 - - [22/Feb/2024:12:17:17 -0500] "GET /openxpki/cgi-bin/webui.fcgi?page=welcome=top&_=1708622237008 HTTP/1.1" 200 10717 "https://192.168.216.89/openxpki/; "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" cat /var/log/httpd/apache24/openxpki/openxpki-3_ssl_error.log 192.168.216.89 - - [22/Feb/2024:10:20:07 -0500] "GET /openxpki/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" 192.168.216.89 - - [22/Feb/2024:10:20:07 -0500] "GET /openxpki/localconfig.yaml HTTP/1.1" 404 196 "https://192.168.216.89/openxpki/; "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" 192.168.216.89 - - [22/Feb/2024:10:20:07 -0500] "GET /openxpki/cgi-bin/webui.fcgi?page=welcome=top&_=1708615207787 HTTP/1.1" 200 10717 "https://192.168.216.89/openxpki/; "Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0" The log files you mention were previously created, although the permissions are 660. ll /var/log/openxpki/* -rw-rw 1 openxpki openxpki519 Feb 14 09:56 /var/log/openxpki/audit.log -rw-rw 1 openxpki openxpki 10472 Feb 14 10:57 /var/log/openxpki/catchall.log -rw-rw 1 openxpki openxpki 1096 Feb 13 08:35 /var/log/openxpki/deprecated.log -rw-rw 1 openxpki openxpki 6283 Feb 14 10:36 /var/log/openxpki/openxpki.log -rw-rw 1 www www 0 Feb 8 09:12 /var/log/openxpki/scep.log -rw-rw 1 www www 0 Feb 8 09:12 /var/log/openxpki/soap.log -rw-rw 1 openxpki openxpki 2371 Feb 13 08:35 /var/log/openxpki/stderr.log -rw-rw 1 www www 0 Feb 8 09:12 /var/log/openxpki/webui.log -rw-rw 1 openxpki openxpki 74 Feb 14 10:36 /var/log/openxpki/workflows.log On Thu, February 22, 2024 11:43, Sergei Vyshenski wrote: > > pkg info --pkg-message p5-openxpki > Is there something in particular in this documentation to which you wish to draw my attention? To the best of my ability to determine I have already used this information in my installation. I am using the system openssl, /var/tmp/ and so forth exist. The openxpki log files have the pkg recommended permissions and owners. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___
Re: [OpenXPKI-users] Missing index.html
pkg info --pkg-message p5-openxpki On 22 Feb 24 Thu 19:13, James B. Byrne via OpenXPKI-users wrote: I have discovered that my literal reading of README.md and the Quickstart guide led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to /var/local/www/openxpki/ whereas it appears that I instead should have copied the contents thereof. This I have now done and I get a different error. I now see the openxpki logo on a grey page with the following error message box: Application Error [ "There was an error while processing the data received from the server: ", {} ] This probably means that I have misconfigured, or failed to configure something else. Any clues as to what that may be? Thanks, ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
Hi, > I have discovered that my literal reading of README.md and the Quickstart > guide > led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to > /var/local/www/openxpki/ whereas it appears that I instead should have copied > the contents thereof. This I have now done and I get a different error. > > I now see the openxpki logo on a grey page with the following error message > box: > > Application Error > > [ > "There was an error while processing the data received from the server: ", > {} > ] > > This probably means that I have misconfigured, or failed to configure > something > else. > > Any clues as to what that may be? Is mod_fcgid enabled in Apache? Check if the fcgi scripts are actually executed, if mod_fcgid is not enabled you will see the raw output of the CGI script in the development console or your browser. Check the web server error log file for hints. If fcgi is enabled, check the web server log files, typically at /var/log/openxpki/webui.log, you should see log messages there. If none are to be seen, touch /var/log/openxpki/webui.log chown WEBSERVER-RUNTIME-USER /var/log/openxpki/webui.log chmod 600 /var/log/openxpki/webui.log And retry. While you are at it, also create scep.log, rpc.log, est.log with the same owner/permissions there. HTH Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
I have discovered that my literal reading of README.md and the Quickstart guide led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to /var/local/www/openxpki/ whereas it appears that I instead should have copied the contents thereof. This I have now done and I get a different error. I now see the openxpki logo on a grey page with the following error message box: Application Error [ "There was an error while processing the data received from the server: ", {} ] This probably means that I have misconfigured, or failed to configure something else. Any clues as to what that may be? Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
On Thu, February 22, 2024 08:06, Martin Arendtsen wrote: > Hi, > > I believe that Sergei (Thank you for your work!) follows a standard for the > apache installed on FreeBSD. > Remember that FreeBSD puts everything in /usr/local when it comes to > packets and applications not part of the base system. :) > > When I installed the server I did set a custom path on the file system ( > /data/www ) and then copied the files from the package to the relevant > subdirectories. > James if you want I can send you a copy of my apache config file. > > A copy of your config file is most welcome. I am aware of FreeBSD's /usr/local/ prefix convention to the usual Linux file locations. I handled that by adding some variables to the top of the distributed apache2-openxpki-site.conf file: Define __HOST_IPV4 '192.168.216.89' Define __HTTP_ROOT '/usr/local/www' Define __PREFIX_PATH'/usr/local' and then simply replaced "/var/www" with "${__HTTP_ROOT}" everywhere else. That seems to work without issue. I suspect that the issue lies with something that I have done or left undone with respect to openxpki itself. But I am not getting any logging to help discover what it is waiting for. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Missing index.html
Hi, I believe that Sergei (Thank you for your work!) follows a standard for the apache installed on FreeBSD. Remember that FreeBSD puts everything in /usr/local when it comes to packets and applications not part of the base system. :) When I installed the server I did set a custom path on the file system ( /data/www ) and then copied the files from the package to the relevant subdirectories. James if you want I can send you a copy of my apache config file. /Martin On 21 Feb 2024 at 22.55.03, Oliver Welter wrote: > Hi, > > I have no clue on FreeBSD and the ports are provided by a third party so > I have no idea what the basis is for this packaging (Sergei was one of > the co-founders of this project but is no longer involved in the > development today but continues to run the ports repo - thanks for this > ;) ). > > The "official" setup with Linux uses a lot of rewriting magic to point > URLs to "other" places in the filesystem to make things like URL based > realm selection work. You might want to check the apache config from the > config repo directly: > > https://github.com/openxpki/openxpki-config/blob/community/contrib/apache2-openxpki-site.conf > > regards > > Oliver > > On 21.02.24 21:34, James B. Byrne via OpenXPKI-users wrote: > > On Wed, February 21, 2024 13:10, Oliver Welter wrote: > > > Hi James, > > > > > > the package should install default.html - just make a copy or a symlink > > > to index.html and you should be good to go. > > > > > I found an index.html file in /usr/local/www/openxpki/htdocs. This file > has > > the same contents as > /usr/local/share/examples/openxpki/htdocs/default.html, > > which I presume is the default.html file that you wrote of. However, I > cannot > > find any reference in the documentation that this file should be in > > /usr/local/www/openxpki/ as well as or instead of ./htdocs/. So, I am > > concerned that I have misconfigured something and that the Apache > configuration > > file root directory should be pointing at /usr/local/www/openxpki/htdocs/. > > > Installing default.html as index.html in /usr/local/www/openxpki/ removes > the > > Forbidden warning and the logged error. However, now what is see instead > is: > > > OpenXPKI is loading... > > > And in the access log I see this: > > > 192.168.216.89 - - [21/Feb/2024:14:24:14 -0500] "OPTIONS * HTTP/1.0" 200 - > "-" > > "Apache/2.4.58 (FreeBSD) OpenSSL/1.1.1t-freebsd > > mod_fastcgi/mod_fastcgi-SNAP-0910052141 (internal dummy connection)" > > > Top reveals this: > > > 77740 openxpki 1 200 229M 189M nanslp 0 4:55 0.12% perl > > > > > This is the relevant excerpt from my Apache configuration file: > > > . . . > > Define __HOST_IPV4 '192.168.216.89' > > Define __HTTP_ROOT '/usr/local/www' > > Define __PREFIX_PATH'/usr/local' > > . . . > > Listen ${__HOST_IPV4}:443 > > > >ServerNameopenxpki.hamilton.harte-lyne.ca > >ServerAlias * > >ServerAdmin supp...@harte-lyne.ca > >DocumentRoot ${__HTTP_ROOT} > > . . . > > > There is no /usr/lib//cgi-bin/ on FreeBSD-13.2. This is all I can find: > > > find /usr/local/ -type d -name cgi-bin > > /usr/local/www/openxpki/cgi-bin > > /usr/local/www/apache24/cgi-bin > > /usr/local/libexec/cups/cgi-bin > > /usr/local/share/examples/openxpki/cgi-bin > > > The contents of the last are: > > > ll /usr/local/www/openxpki/cgi-bin/ > > total 69 > > -rwxr-xr-x 1 root wheel 4690 Jan 8 08:05 download.fcgi > > -rwxr-xr-x 1 root wheel 3677 Jan 8 08:05 est.fcgi > > -rwxr-xr-x 1 root wheel 2248 Jan 8 08:05 healthcheck.fcgi > > -rwxr-xr-x 1 root wheel 28770 Jan 8 08:05 rpc.fcgi > > -rwxr-xr-x 1 root wheel 7378 Jan 8 08:05 scep.fcgi > > -rwxr-xr-x 1 root wheel 6339 Jan 8 08:05 scepv3.fcgi > > -rwxr-xr-x 1 root wheel750 Jan 8 08:05 soap.fcgi > > -rwxr-xr-x 1 root wheel 10717 Jan 8 08:05 webui.fcgi > > > > > As far as ScriptAlias directives I see this in my localized configuration: > > > :g/ScriptAlias/ > >66 ScriptAlias /scep ${__HTTP_ROOT}/openxpki/cgi-bin/scepv3.fcgi$ > >81 ScriptAlias /healthcheck > ${__HTTP_ROOT}/openxpki/healthcheck.fcgi$ > > 151 ScriptAlias /rpc ${__HTTP_ROOT}/openxpki/cgi-bin/rpc.fcgi$ > > 154 ScriptAlias /healthcheck > > ${__HTTP_ROOT}/openxpki/cgi-bin/healthcheck.fcgi$ > > 157 ScriptAlias /certep ${__HTTP_ROOT}/openxpki/cgi-bin/certep.fcgi$ > > 160 ScriptAlias /.well-known/est > ${__HTTP_ROOT}/openxpki/cgi-bin/est.fcgi$ > > 163 ScriptAlias /cmc ${__HTTP_ROOT}/openxpki/cgi-bin/cmc.fcgi$ > > 165 ScriptAliasMatch ^/(([a-z0-9-]+)/)?cgi-bin/webui.fcgi > > ${__HTTP_ROOT}/openxpki/cgi-bin/webui.fcgi$ > > > > And these in the provided example configuration: > > > :g/ScriptAlias/ > >28 ScriptAlias /scep /usr/lib/cgi-bin/scepv3.fcgi$ > >43 ScriptAlias /healthcheck /usr/lib/cgi-bin/healthcheck.fcgi$ > >81 ScriptAlias /rpc /usr/lib/cgi-bin/rpc.fcgi$ > >84 ScriptAlias
Re: [OpenXPKI-users] Profile with serialNumber and custom extensions
Yes I did, that was not the issue. -Original Message- From: Jens Berthold Sent: Thursday, February 22, 2024 10:28 AM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Hi Henri, did you notice the typo, i.e. the missing "b" in number? Jens Am 22.02.24 um 09:01 schrieb henri.sunde...@iki.fi: > Hi, > > Tried this but no luck, its not reading the serial from the CSR. > > > -Original Message- > From: Oliver Welter > Sent: Wednesday, February 21, 2024 1:26 PM > To: openxpki-users@lists.sourceforge.net > Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom > extensions > > Hi Henri, > > my fault - serialNumber is not in the "registered RDN" list for the > template parser shortcuts, it should work with > > preset: '[% serialNumer.0 %]' > > best regards > > Oliver > > On 20.02.24 15:33, henri.sunde...@iki.fi wrote: >> I tried that, but it does not work. >> Using the template with preset as set below, it fills serialNumber >> field with value "serialNumber". Certificate profile is same as I >> presented before. This sounds like a bug - maybe it tries to take key >> instead its value? >> >> >> serial.yaml: >> id: serialNumber >> label: serialNumber >> description: Serial Number >> preset: serialNumber >> type: text >> width: 40 >> placeholder: >> >> >> >> >> -Original Message- >> From: Oliver Welter >> Sent: Monday, February 19, 2024 10:21 AM >> To: openxpki-users@lists.sourceforge.net >> Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom >> extensions >> >> Hello Henri, >> >> you have to use "serialNumber" as preset also, SN is the "Surname" >> OID >> :) >> >> For the second part - you can turn on the "copy extension" flag but >> as outlined in the comment this copies ANYTHING from the request so >> this requires a certain portion of control on CSR generation and a >> very good validation as you otherwise might sign things you do not expect too. >> >> The other option requires a modification of the workflow and the use >> of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension, >> likely with some magic around to build the right content - or an >> upgrade to the enterprise edition which comes with a templating >> mechanism and some other nice features around profile based extensions. >> >> best regards >> >> Oliver >> >> On 15.02.24 20:14, henri.sunde...@iki.fi wrote: >>> I'm trying to make a new certificate profile, with this kind of >>> requirements: >>> - Subject shall have serialNumber field, which is copied from CSR >>> - Extensions shall have a custom OID field with custom bit stream >>> data, which is copied from CSR >>> >>> I haven't been able to get any of that working. I added to templates >>> serial.yaml: >>> -- >>> id: serialNumber >>> label: serialNumber >>> description: Serial Number >>> preset: SN.0 >>> type: text >>> width: 40 >>> placeholder: >>> -- >>> And I made new profile like this: >>> -- >>> # The name of the file equals the name of the profile >>> label: License >>> >>> # digest to use >>> digest: sha256 >>> >>> style: >>>00_basic_style: >>>label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL >>>description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC >>># Define which input fields you want on the UI >>># Just put their names here and define them at the end >>># in the "template" section. >>># You can also use the template names found in the >>># template.yaml file, if you duplicate a name, the >>># local definition gets precedence. >>>ui: >>>subject: >>>- hostname >>>- serial >>>- o >>>- c >>>info: >>>- requestor_realname >>>- requestor_email >>>- owner_contact >>>- comment >>> >>># Subject is evaluated by template toolkit with the input >>> data from the ui.subject fields >>># Note: Fields which have max > 1 are always passed as array >>>subject: >>>dn: CN=[% hostname %],serialNumber=[% serial %] >>># You can use the fields from ui.subject here >>> >>># this is attached to the certificate, all fields from ui >>> can be used >>>metadata: >>>requestor: "[% requestor_realname %]" >>>email: "[% requestor_email %]" >>>owner_contact: "[% owner_contact || requestor_email %]" >>>entity: "[% hostname FILTER lower %]" >>> >>> >>># A standard template used from the automated enrollment workflows >>>enroll: >>>subject: >>># All RDNs from the PKCS10 containers DN are avaiable here >>># Items from the SAN section are also
Re: [OpenXPKI-users] Profile with serialNumber and custom extensions
Hi Henri, did you notice the typo, i.e. the missing "b" in number? Jens Am 22.02.24 um 09:01 schrieb henri.sunde...@iki.fi: Hi, Tried this but no luck, its not reading the serial from the CSR. -Original Message- From: Oliver Welter Sent: Wednesday, February 21, 2024 1:26 PM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Hi Henri, my fault - serialNumber is not in the "registered RDN" list for the template parser shortcuts, it should work with preset: '[% serialNumer.0 %]' best regards Oliver On 20.02.24 15:33, henri.sunde...@iki.fi wrote: I tried that, but it does not work. Using the template with preset as set below, it fills serialNumber field with value "serialNumber". Certificate profile is same as I presented before. This sounds like a bug - maybe it tries to take key instead its value? serial.yaml: id: serialNumber label: serialNumber description: Serial Number preset: serialNumber type: text width: 40 placeholder: -Original Message- From: Oliver Welter Sent: Monday, February 19, 2024 10:21 AM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Hello Henri, you have to use "serialNumber" as preset also, SN is the "Surname" OID :) For the second part - you can turn on the "copy extension" flag but as outlined in the comment this copies ANYTHING from the request so this requires a certain portion of control on CSR generation and a very good validation as you otherwise might sign things you do not expect too. The other option requires a modification of the workflow and the use of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension, likely with some magic around to build the right content - or an upgrade to the enterprise edition which comes with a templating mechanism and some other nice features around profile based extensions. best regards Oliver On 15.02.24 20:14, henri.sunde...@iki.fi wrote: I'm trying to make a new certificate profile, with this kind of requirements: - Subject shall have serialNumber field, which is copied from CSR - Extensions shall have a custom OID field with custom bit stream data, which is copied from CSR I haven't been able to get any of that working. I added to templates serial.yaml: -- id: serialNumber label: serialNumber description: Serial Number preset: SN.0 type: text width: 40 placeholder: -- And I made new profile like this: -- # The name of the file equals the name of the profile label: License # digest to use digest: sha256 style: 00_basic_style: label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC # Define which input fields you want on the UI # Just put their names here and define them at the end # in the "template" section. # You can also use the template names found in the # template.yaml file, if you duplicate a name, the # local definition gets precedence. ui: subject: - hostname - serial - o - c info: - requestor_realname - requestor_email - owner_contact - comment # Subject is evaluated by template toolkit with the input data from the ui.subject fields # Note: Fields which have max > 1 are always passed as array subject: dn: CN=[% hostname %],serialNumber=[% serial %] # You can use the fields from ui.subject here # this is attached to the certificate, all fields from ui can be used metadata: requestor: "[% requestor_realname %]" email: "[% requestor_email %]" owner_contact: "[% owner_contact || requestor_email %]" entity: "[% hostname FILTER lower %]" # A standard template used from the automated enrollment workflows enroll: subject: # All RDNs from the PKCS10 containers DN are avaiable here # Items from the SAN section are also available here # Note that all items are always arrays, for the SAN the pipe is # used as separator character to split individual items later dn: CN=[% CN.0 %],serialNumber=[% SN.0 %] # metadata source items added via the "params" section of the # PersistMetadata action in the workflow are available in data # DN/SAN parts are available as defined above metadata: system_id: "[% data.cust_id %]" server_id: "[% data.server_id %]" entity: "[% CN.0.replace(':.*','') FILTER lower %]" # Consumed by RenderExtensions to add extra
Re: [OpenXPKI-users] Profile with serialNumber and custom extensions
Hi, Tried this but no luck, its not reading the serial from the CSR. -Original Message- From: Oliver Welter Sent: Wednesday, February 21, 2024 1:26 PM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom extensions Hi Henri, my fault - serialNumber is not in the "registered RDN" list for the template parser shortcuts, it should work with preset: '[% serialNumer.0 %]' best regards Oliver On 20.02.24 15:33, henri.sunde...@iki.fi wrote: > I tried that, but it does not work. > Using the template with preset as set below, it fills serialNumber > field with value "serialNumber". Certificate profile is same as I > presented before. This sounds like a bug - maybe it tries to take key > instead its value? > > > serial.yaml: > id: serialNumber > label: serialNumber > description: Serial Number > preset: serialNumber > type: text > width: 40 > placeholder: > > > > > -Original Message- > From: Oliver Welter > Sent: Monday, February 19, 2024 10:21 AM > To: openxpki-users@lists.sourceforge.net > Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom > extensions > > Hello Henri, > > you have to use "serialNumber" as preset also, SN is the "Surname" OID > :) > > For the second part - you can turn on the "copy extension" flag but as > outlined in the comment this copies ANYTHING from the request so this > requires a certain portion of control on CSR generation and a very > good validation as you otherwise might sign things you do not expect too. > > The other option requires a modification of the workflow and the use > of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension, > likely with some magic around to build the right content - or an > upgrade to the enterprise edition which comes with a templating > mechanism and some other nice features around profile based extensions. > > best regards > > Oliver > > On 15.02.24 20:14, henri.sunde...@iki.fi wrote: >> I'm trying to make a new certificate profile, with this kind of >> requirements: >> - Subject shall have serialNumber field, which is copied from CSR >> - Extensions shall have a custom OID field with custom bit stream >> data, which is copied from CSR >> >> I haven't been able to get any of that working. I added to templates >> serial.yaml: >> -- >> id: serialNumber >> label: serialNumber >> description: Serial Number >> preset: SN.0 >> type: text >> width: 40 >> placeholder: >> -- >> And I made new profile like this: >> -- >> # The name of the file equals the name of the profile >> label: License >> >> # digest to use >> digest: sha256 >> >> style: >> 00_basic_style: >> label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL >> description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC >> # Define which input fields you want on the UI >> # Just put their names here and define them at the end >> # in the "template" section. >> # You can also use the template names found in the >> # template.yaml file, if you duplicate a name, the >> # local definition gets precedence. >> ui: >> subject: >> - hostname >> - serial >> - o >> - c >> info: >> - requestor_realname >> - requestor_email >> - owner_contact >> - comment >> >> # Subject is evaluated by template toolkit with the input >> data from the ui.subject fields >> # Note: Fields which have max > 1 are always passed as array >> subject: >> dn: CN=[% hostname %],serialNumber=[% serial %] >> # You can use the fields from ui.subject here >> >> # this is attached to the certificate, all fields from ui >> can be used >> metadata: >> requestor: "[% requestor_realname %]" >> email: "[% requestor_email %]" >> owner_contact: "[% owner_contact || requestor_email %]" >> entity: "[% hostname FILTER lower %]" >> >> >> # A standard template used from the automated enrollment workflows >> enroll: >> subject: >> # All RDNs from the PKCS10 containers DN are avaiable here >> # Items from the SAN section are also available here >> # Note that all items are always arrays, for the SAN >> the pipe > is >> # used as separator character to split individual items later >> dn: CN=[% CN.0 %],serialNumber=[% SN.0 %] >> >> >> # metadata source items added via the "params" section of the >> # PersistMetadata action in the workflow are available in data >> # DN/SAN parts are available as defined above >> metadata: >> system_id: "[% data.cust_id %]" >> server_id: "[%