Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread Martin Bartosch via OpenXPKI-users 
Hi James,

> This is the diff between the current config.d and the original before any
> changes were made.
> 
> # git diff -G. hllv1.00  -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> --- a/config.d/realm.tpl/crypto.yaml
> +++ b/config.d/realm.tpl/crypto.yaml
> @@ -15,7 +15,8 @@ token:
># Template to create key, available vars are
># ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
># KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
> -key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> +#   key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> +key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> 
># possible values are OpenSSL, nCipher, LunaCA
>engine: OpenSSL
> @@ -42,7 +43,8 @@ token:
> 
>  vault:
>inherit: default
> -key: /etc/openxpki/local/keys/[% ALIAS %].pem
> +#   key: /etc/openxpki/local/keys/[% ALIAS %].pem
> +key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem
> 
>  ratoken:
>inherit: default
> @@ -58,6 +60,13 @@ token:
> 
> # Define the secret groups
> secret:
> +
> +ca-signer:
> +label:  Secret group for certsign Token
> +export: 1
> +method: literal
> +value:  "democa"
> +
>default:
># this let OpenXPKI use the secret of the same name from system.crypto
># if you do not want to share the secret just replace this line with
> @@ -69,4 +78,4 @@ secret:
>label: Secret group for RA Token
>export: 1
>method: literal
> -value: root
> \ No newline at end of file
> +value: root


Yep, that's the problem. In the original default crypto.yaml we find

...
# The actual token setup
token:
 default:
...
   # Default value for import, recorded in database, can be overriden
   secret: default
...

# use ALIAS as key as it makes debug and management easier
 ca-signer:
   inherit: default
   key_store: DATAPOOL
   key: "[% ALIAS %]"
...

# Define the secret groups
secret:
   default:
   # this let OpenXPKI use the secret of the same name from system.crypto
   # if you do not want to share the secret just replace this line with
   # the config found in system.crypto. You can create additional secrets
   # by adding similar blocks with another key
   import: 1


This means that the ca-signer token inherits from the default token 
configuration which references the "default" secret group. This "default" 
secret group is imported from the global configuration in 
config.d/system/crypto.yaml.

There we find:

secret:
   default:
   label: Global secret group
   export: 0
   method: literal
   value: root

You added a new literal secret group "ca-signer" with the value "democa" to 
your token configuration.
Now, the error in the configuration is that you obviously assumed that by 
defining a secret group with the same name as the signer token will link this. 
This is not the case. Your new secret group was defined but is never used.

In order to make this work as you intend you need to do one of the following:


1. in your default token configuration change the secret definition to the 
correct secret group reference:

token:
 default:
...
   secret: ca-signer


OR

2. change the password in the "default" secret group from "root" to "democa"

OR

3. change the CA key passphrase to "root"

OR

3. enable passphrase entry via the GUI and use the GUI to enter your passphrase 
"democa" after startup



Cheers

Martin









___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread Martin Bartosch via OpenXPKI-users 
Hi James,

> This is the diff between the current config.d and the original before any
> changes were made.
> 
> # git diff -G. hllv1.00  -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> --- a/config.d/realm.tpl/crypto.yaml
> +++ b/config.d/realm.tpl/crypto.yaml
> @@ -15,7 +15,8 @@ token:
> # Template to create key, available vars are
> # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
> # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
> -key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> +#   key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> +key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> 
> # possible values are OpenSSL, nCipher, LunaCA
> engine: OpenSSL
> @@ -42,7 +43,8 @@ token:
> 
>   vault:
> inherit: default
> -key: /etc/openxpki/local/keys/[% ALIAS %].pem
> +#   key: /etc/openxpki/local/keys/[% ALIAS %].pem
> +key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem
> 
>   ratoken:
> inherit: default
> @@ -58,6 +60,13 @@ token:
> 
> # Define the secret groups
> secret:
> +
> +ca-signer:
> +label:  Secret group for certsign Token
> +export: 1
> +method: literal
> +value:  "democa"
> +
> default:
> # this let OpenXPKI use the secret of the same name from system.crypto
> # if you do not want to share the secret just replace this line with
> @@ -69,4 +78,4 @@ secret:
> label: Secret group for RA Token
> export: 1
> method: literal
> -value: root
> \ No newline at end of file
> +value: root


Yep, that's the problem. In the original default crypto.yaml we find

...
# The actual token setup
token:
  default:
...
# Default value for import, recorded in database, can be overriden
secret: default
...

 # use ALIAS as key as it makes debug and management easier
  ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
...

# Define the secret groups
secret:
default:
# this let OpenXPKI use the secret of the same name from system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional secrets
# by adding similar blocks with another key
import: 1


This means that the ca-signer token inherits from the default token 
configuration which references the "default" secret group. This "default" 
secret group is imported from the global configuration in 
config.d/system/crypto.yaml.

There we find:

secret:
default:
label: Global secret group
export: 0
method: literal
value: root

You added a new literal secret group "ca-signer" with the value "democa" to 
your token configuration.
Now, the error in the configuration is that you obviously assumed that by 
defining a secret group with the same name as the signer token will link this. 
This is not the case. Your new secret group was defined but is never used.

In order to make this work as you intend you need to do one of the following:


1. in your default token configuration change the secret definition to the 
correct secret group reference:

token:
  default:
...
secret: ca-signer


OR

2. change the password in the "default" secret group from "root" to "democa"

OR

3. change the CA key passphrase to "root"

OR

3. enable passphrase entry via the GUI and use the GUI to enter your passphrase 
"democa" after startup



Cheers

Martin









___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] MairaDB2

2024-03-13 Thread Sergei Vyshenski 

Hi,

Trying to launch democa out of the latest stable community release
OpenXPKI-3.28.2 at
Linux Debian 12.5 with
MariaDB 10.11.6

Followed steps advised by
https://openxpki.readthedocs.io/en/latest/quickstart.html
(configuration for /etc/openxpki/ fetched from openxpki/openxpki-config 
project)


and in particular:
$ apt install mariadb-server libdbd-mariadb-perl
...
$ openxpkictl start
It says:
Starting OpenXPKI Community Edition v3.28.2
OpenXPKI server is not running or does not accept requests.
Status check failed
(See error log attached below.)

Now I remove libdbd-mariadb-perl and install libdbd-mysql-perl instead, 
as server openxpki wanted.

This helps:
$ openxpkictl start
OpenXPKI Server is running and accepting requests.
DONE.

Is it reasonable to switch dbd-mariadb for dbd-mysql?
The quoted Quickstart insists (with red letters) that dbd-mariadb is a 
preferable choice for MariaDB2 and OpenXPKI.


What is MariaDB2 (mentioned by Quickstart) by the way? Google only finds 
this name inside the OpenXPKI pages.

Debian 12.5 has MariaDB 10.11.6. Is it MariaDB1 or MariaDB2?
Also name "MariaDB2" is present multiple times in the configuration of 
openxpki/openxpki-config.

Is it safe to leave it there?

NB.
When project DBD-MariaDB was founded they claimed (see here: 
https://github.com/perl5-dbi/DBD-MariaDB) that it will be better than 
the project DBD-mysql, because
"This Perl DBI driver is a fork of the DBD::mysql 
 driver and was created because 
said issues in the original DBD::mysql have not been addressed for more 
than a year."
But today the project DBD-mysql evolves more rapidly than the project 
DBD-MariaDB:

https://metacpan.org/dist/DBD-mysql/changes

Regards, Sergei
==
$> cat /var/log/openxpki.log (with the driver DBD-MariaDB installed)
2024/03/12 14:18:27 ERROR Database not connected; __error__ => 
install_driver(mysql) failed: Can't locate DBD/mysql.pm in @INC (you may 
need to install the DBD::mysql module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 
/usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 
/usr/share/perl/5.36 /usr/local/lib/site_perl) at (eval 974) line 3.

Perhaps the DBD::mysql perl module hasn't been fully installed,
or perhaps the capitalisation of 'mysql' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, MariaDB, Mem, Proxy, Sponge.
 at /usr/share/perl5/DBIx/Handler.pm line 41.
 [pid=4925|]
2024/03/12 14:18:27 FATAL Error during initialization task 'dbi': 
Database not connected [pid=4925|]
2024/03/12 14:18:27 FATAL Exception during server initialization: 
Database not connected; __error__ => install_driver(mysql) failed: Can't 
locate DBD/mysql.pm in @INC (you may need to install the DBD::mysql 
module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 
/usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 
/usr/share/perl/5.36 /usr/local/lib/site_perl) at (eval 974) line 3.

Perhaps the DBD::mysql perl module hasn't been fully installed,
or perhaps the capitalisation of 'mysql' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, MariaDB, Mem, Proxy, Sponge.
 at /usr/share/perl5/DBIx/Handler.pm line 41.
 (Database not connected; __error__ => install_driver(mysql) failed: 
Can't locate DBD/mysql.pm in @INC (you may need to install the 
DBD::mysql module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 
/usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 
/usr/share/perl/5.36 /usr/local/lib/site_perl) at (eval 974) line 3.

Perhaps the DBD::mysql perl module hasn't been fully installed,
or perhaps the capitalisation of 'mysql' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, MariaDB, Mem, Proxy, Sponge.
 at /usr/share/perl5/DBIx/Handler.pm line 41.
) [pid=4925|]
==


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread James B. Byrne via OpenXPKI-users 
On Wed, March 13, 2024 09:25, Martin Bartosch wrote:
> Hi James,
>
. . .
>
> 1. the output of openxpkicli get_token_info (file in file system) is not
> consistent with your configuration (key in datapool). I have no idea why,
> because I cannot see more details on your system, but to me it looks like the
> ca-signer token configuration is not the config the system is using
>
> 2. the config snippet is missing the definition for "default" in crypto.yaml
> where I assume the secret group is defined. If that does not match the secret
> group you seemingly intend to use for your ca signer tokens (which you named
> "ca-signer") then the passphrase will not be set correctly. Again, without
> being able to see more or your config it is impossible to tell.

This is the diff between the current config.d and the original before any
changes were made.

# git diff -G. hllv1.00  -- --follow config.d
diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
index 95614f5..bda48a1 100644
--- a/config.d/realm.tpl/crypto.yaml
+++ b/config.d/realm.tpl/crypto.yaml
@@ -15,7 +15,8 @@ token:
 # Template to create key, available vars are
 # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
 # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
-key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+#   key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem

 # possible values are OpenSSL, nCipher, LunaCA
 engine: OpenSSL
@@ -42,7 +43,8 @@ token:

   vault:
 inherit: default
-key: /etc/openxpki/local/keys/[% ALIAS %].pem
+#   key: /etc/openxpki/local/keys/[% ALIAS %].pem
+key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem

   ratoken:
 inherit: default
@@ -58,6 +60,13 @@ token:

 # Define the secret groups
 secret:
+
+ca-signer:
+label:  Secret group for certsign Token
+export: 1
+method: literal
+value:  "democa"
+
 default:
 # this let OpenXPKI use the secret of the same name from system.crypto
 # if you do not want to share the secret just replace this line with
@@ -69,4 +78,4 @@ secret:
 label: Secret group for RA Token
 export: 1
 method: literal
-value: root
\ No newline at end of file
+value: root
diff --git a/config.d/system/database.yaml b/config.d/system/database.yaml
old mode 100644
new mode 100755
index 472217a..3043863
--- a/config.d/system/database.yaml
+++ b/config.d/system/database.yaml
@@ -1,9 +1,9 @@
 main:
 debug: 0
-type: MariaDB
+type: PostgreSQL
 name: openxpki
 host: localhost
-port: 3306
+port: 5432
 user: openxpki
 passwd: openxpki

diff --git a/config.d/system/realms.yaml b/config.d/system/realms.yaml
old mode 100644
new mode 100755
index 9b0036b..bc50e30
--- a/config.d/system/realms.yaml
+++ b/config.d/system/realms.yaml
@@ -4,3 +4,7 @@
 democa:
 label: Example.org Demo CA
 baseurl: https://pki.example.com/openxpki/
+
+hll_ca2016:
+label:Harte & Lyne Limited CA
+baseurl:  https://openxpki-3.internal.harte-lyne.ca/openxpki/
diff --git a/config.d/system/server.yaml b/config.d/system/server.yaml
old mode 100644
new mode 100755
index e667f0f..2b4d741
--- a/config.d/system/server.yaml
+++ b/config.d/system/server.yaml
@@ -1,19 +1,20 @@
 # Shown in the processlist to distinguish multiple instances
-name: main
+name: hll_main

 # Location of the log4perl configuration
-log4perl: /etc/openxpki/log.conf
+#log4perl: /etc/openxpki/log.conf
+log4perl: /usr/local/etc/openxpki/log.conf

 # Daemon settings
 user: openxpki
 group:openxpki
 socket_file:  /var/openxpki/openxpki.socket
-pid_file: /run/openxpkid.pid
+pid_file: /var/run/openxpkid.pid
 stderr:   /var/log/openxpki/stderr.log
 tmpdir:   /var/tmp

 # we need to give write permission to the socket for the webserver
-socket_owner: www-data
+socket_owner: www

 # This is experimental!
 #type: PreFork


>
> 2a. a fixed value for a CA key is not a good idea

True, On the other hand this is a proof of concept test and literal values
allow one to grep for things.

>
> Bottom line: your system cannot access the private key, and this is either a
> permission problem or a problem with the CA passphrase.

The passphrase has been verified as correct as I can expose the private key
using openssl.

The service script provided with the pr-openxpki pkg from FreeBSD ports trashes
the permissions and ownerships.  I ran that instead of openxpkictl (once) and
discovered that the hard way.  So a permissions problem is possible. On the
other hand I have just completed a thorough check of file permissions against
those in the community branch and these are all the same.

Thanks,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to

Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread Martin Bartosch via OpenXPKI-users 
Hi James,

> 2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
> /var/tmp/openxpki28821VniVdpfp/openssl.cnf
> unable to load CA private key
> . . .
> 
> I guess that this is the problem: unable to load CA private key

Yep.


> The realm was created using:
> 
> openxpkiadm alias   \
>  --realm "democa"   \
>  --token certsign\
>  --file
> /root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem  \
>  --key /root/CLCA/CAS/democa_i/private/democa_i_key.pem
> 
> openxpkicli get_token_info --realm=democa --arg alias=vault-1
> {
>   "key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem",
>   "key_secret" : 1,
>   "key_store" : "OPENXPKI",
>   "key_usable" : 1
> }
> 
> I have verified that the private key password provided in
> config/realm/democa/crypto.yaml is correct:
> 
> . .
>  ca-signer:
>inherit: default
>key_store: DATAPOOL
>key: "[% ALIAS %]"
> . . .
> secret:
> 
>ca-signer:
>label:  Secret group for certsign Token
>export: 1
>method: literal
>value:  "democa"


1. the output of openxpkicli get_token_info (file in file system) is not 
consistent with your configuration (key in datapool). I have no idea why, 
because I cannot see more details on your system, but to me it looks like the 
ca-signer token configuration is not the config the system is using

2. the config snippet is missing the definition for "default" in crypto.yaml 
where I assume the secret group is defined. If that does not match the secret 
group you seemingly intend to use for your ca signer tokens (which you named 
"ca-signer") then the passphrase will not be set correctly. Again, without 
being able to see more or your config it is impossible to tell.

2a. a fixed value for a CA key is not a good idea


Bottom line: your system cannot access the private key, and this is either a 
permission problem or a problem with the CA passphrase.


Cheers

Martin





___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread James B. Byrne via OpenXPKI-users 
On Wed, March 13, 2024 07:52, Martin Bartosch wrote:
> Hi James,
. . .
>
> You should get more information about the error in the openxpki.log file. I
> suspect something is wrong with the CSR or the CA key, but the details you
> posted do not contain sufficient detail to tell what exactly went wrong.

]# tail -15 /var/log/openxpki/openxpki.log
30356799270912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:/usr/src/crypto/openssl/crypto/evp/evp_enc.c:612:
30356799270912:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:461:
 [pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__
=> cms -sign -binary -nosmimecap -outform PEM -nodetach -in
/var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
/var/tmp/openxpki28821VniVdpfp/openssl.cnf
unable to load CA private key
. . .

I guess that this is the problem: unable to load CA private key

The realm was created using:

openxpkiadm alias   \
  --realm "democa"   \
  --token certsign\
  --file
/root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem  \
  --key /root/CLCA/CAS/democa_i/private/democa_i_key.pem

openxpkicli get_token_info --realm=democa --arg alias=vault-1
{
   "key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem",
   "key_secret" : 1,
   "key_store" : "OPENXPKI",
   "key_usable" : 1
}

I have verified that the private key password provided in
config/realm/democa/crypto.yaml is correct:

. .
  ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
. . .
secret:

ca-signer:
label:  Secret group for certsign Token
export: 1
method: literal
value:  "democa"

openssl rsa \
  -noout \
  -text \
  -in /root/CLCA/CAS/democa_i/private/democa_i_key.pem

Enter pass phrase for /root/CLCA/CAS/democa_i/private/democa_i_key.pem:
RSA Private-Key: (4096 bit, 2 primes)
modulus:


>
> Is your CA set up correctly? Are you able to create a CRL?

# openxpkicmd --realm democa crl_issuance
Workflow created (ID: 1791), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0

# openxpkicmd --realm hll_ca2016 crl_issuance
Workflow created (ID: 2047), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0

What is wrong with my setup?

Thanks,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] democa with OpenXPKI @ debian 12.5

2024-03-13 Thread Sergei Vyshenski 

Hi,

Speaking of the latest stable community release
OpenXPKI-3.28.2 at
Linux Debian 12.5 with
MariaDB 10.11.6

What is a present day recommended advice to get a running test piece of 
democa, for a careless novice?


Was able to find 3 sources:

https://openxpki.readthedocs.io/en/latest/quickstart.html
https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md
https://github.com/openxpki/openxpki-docker/blob/master/README.md

They seem not exactly mutually consistent. Also they do not work for me 
exactly as described.
Maybe because of my poor expertise, or even because they are somewhat 
outdated.


In particular, is it correct that ready-for-use docker image is 
unavailable at the moment?
Is it possible to build an up-to-date docker image with a help of 
openxpki-docker project?


So sorry about my dumb questions. Maybe they could be justified by my 
future contribution in a form of patches for the listed documents, if I 
ever succeed.


Regards, Sergei


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Unexpected error This workflow was interrupted by an unexpected event

2024-03-13 Thread Martin Bartosch via OpenXPKI-users 
Hi James,

> __EXIT_STATUS__ => 256  == Searching for Openssl error codes the number 256
> comes up as related to an unsupported cipher. Where is the cypher being
> specified?

The exit status is shifted left by 8 bit by the execution wrapper in OpenXPKI, 
so the actual return code is 256 >> 8 == 1, and 1 is the generic OpenSSL error 
message.

You should get more information about the error in the openxpki.log file. I 
suspect something is wrong with the CSR or the CA key, but the details you 
posted do not contain sufficient detail to tell what exactly went wrong.

Is your CA set up correctly? Are you able to create a CRL?

Best regards,

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Question regarding CheckDNS Usage

2024-03-13 Thread Daniel Hoffend 

Hello

I've seen the Plugin CheckDNS and realized that you can specifiy other 
nameservers in workflows or field definitions.


[% USE CheckDNS(timeout = 10, servers = '1.2.3.4, 5.6.7.8') %]

My question is now: Is there a way to easily set default nameservers per 
realm or do I have to modifiy each workflow for each realm?



regards
Daniel


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users