Re: [OpenXPKI-users] Problems with setup (democa)
Hi Claas, this sounds strange - is there any error message in the logs when you call the status page? What OS are you using and how do you start OpenXPKI? Oliver Am 24.01.22 um 11:55 schrieb Claas Hilbrecht: > Hi Oliver, > >> I found this problem yesterday and it will be fixed in the next release >> - the reason is (very likely) that the "ratoken" secret in the >> crypto.yaml has no value which lets the call that fetches the system >> status crash. If this is the case your status screen will look like this >> and *NOT* show any value for system version or hostname. >> >> If this is the case, just remove "secret.ratoken" from crypto.yaml or >> pass a value to it. > > I changed the crypto.yaml below the realm like this: > > File: crypto.yaml > > type: > cmcra: ratoken > token: > ratoken: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]" > secret: ratoken > secret: > ratoken: > label: Secret group for RA Token > export: 1 > method: literal > value: test > > But still: > Your system status is critical! > OpenXPKI system status > CRL Status > 2022-02-04 17:45:11 UTC > Active Encryption Token > vault-1 > Watchdog > Not running! > System Version > 3.16.1 > Hostname > openxpki-xxx > Config Version > > api > 3.14 > commit > b69603 > config > 3.14 > > > > > > ___ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Oliver, I found this problem yesterday and it will be fixed in the next release - the reason is (very likely) that the "ratoken" secret in the crypto.yaml has no value which lets the call that fetches the system status crash. If this is the case your status screen will look like this and *NOT* show any value for system version or hostname. If this is the case, just remove "secret.ratoken" from crypto.yaml or pass a value to it. I changed the crypto.yaml below the realm like this: File: crypto.yaml type: cmcra: ratoken token: ratoken: inherit: default key_store: DATAPOOL key: "[% ALIAS %]" secret: ratoken secret: ratoken: label: Secret group for RA Token export: 1 method: literal value: test But still: Your system status is critical! OpenXPKI system status CRL Status 2022-02-04 17:45:11 UTC Active Encryption Token vault-1 Watchdog Not running! System Version 3.16.1 Hostname openxpki-xxx Config Version api 3.14 commit b69603 config 3.14 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Claas, Am 21.01.22 um 15:02 schrieb Claas Hilbrecht: > "Your system status is critical!" -> Watchdog..Not Running! >> I saw this recently with systemd also, I guess that is a false alarm - >> check with "ps" if there is a watchdog process. > > All my test systems show this message and all of them are using > systemd. Is there anything to do about this? Because you're right, the > watchdog process is up and running: > > ps ax | grep openx > 3859 ? Ss 0:03 openxpkid (main) server > 3862 ? S 0:03 openxpkid (main) watchdog (idle) I found this problem yesterday and it will be fixed in the next release - the reason is (very likely) that the "ratoken" secret in the crypto.yaml has no value which lets the call that fetches the system status crash. If this is the case your status screen will look like this and *NOT* show any value for system version or hostname. If this is the case, just remove "secret.ratoken" from crypto.yaml or pass a value to it. Oli -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi, [...] "Your system status is critical!" -> Watchdog..Not Running! I saw this recently with systemd also, I guess that is a false alarm - check with "ps" if there is a watchdog process. All my test systems show this message and all of them are using systemd. Is there anything to do about this? Because you're right, the watchdog process is up and running: ps ax | grep openx 3859 ?Ss 0:03 openxpkid (main) server 3862 ?S 0:03 openxpkid (main) watchdog (idle) ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Martin & Oliver, thanks for your quick support! I can take a step further and test OpenXPKI. Merry Christmas to all! Best regards, Stefan Von: Martin Bartosch via OpenXPKI-users Gesendet: Donnerstag, 23. Dezember 2021 10:59 An: openxpki-users@lists.sourceforge.net Cc: Martin Bartosch Betreff: Re: [OpenXPKI-users] Problems with setup (democa) Hi, >>> I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I >>> can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the >>> private key located? > >> The keys are wrapped into a PKCS7 containe - look for something where >> the namespace column has a value of sys.crypto.keys > > what's the preferred way, store in database or put a keyfile with permission > 0400/user openxpki on hdd ? It's your decision. Back in the day when I designed this initially I deliberately chose not to have any key material in the database. (That was at a time when the datapool did not exist yet, though.) Over the time we found that many users seem to prefer their software keys in the database, as this makes cluster setups easier to manage, so we implemented this. Both has its advantages and disadvantages, and we leave the decision for/against storing keys in the datapool to the skilled PKI architects who use our PKI software. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users smime.p7s Description: S/MIME cryptographic signature ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi, >>> I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I >>> can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the >>> private key located? > >> The keys are wrapped into a PKCS7 containe - look for something where >> the namespace column has a value of sys.crypto.keys > > what's the preferred way, store in database or put a keyfile with permission > 0400/user openxpki on hdd ? It's your decision. Back in the day when I designed this initially I deliberately chose not to have any key material in the database. (That was at a time when the datapool did not exist yet, though.) Over the time we found that many users seem to prefer their software keys in the database, as this makes cluster setups easier to manage, so we implemented this. Both has its advantages and disadvantages, and we leave the decision for/against storing keys in the datapool to the skilled PKI architects who use our PKI software. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Oliver, you're right. I checked and ratoken isn't in use, so after commenting out this section from democa-crypto.yaml the error disappeared. >> I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I >> can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the >> private key located? > The keys are wrapped into a PKCS7 containe - look for something where > the namespace column has a value of sys.crypto.keys what's the preferred way, store in database or put a keyfile with permission 0400/user openxpki on hdd ? Thank you, Stefan Von: Oliver Welter Gesendet: Mittwoch, 22. Dezember 2021 09:14 An: openxpki-users@lists.sourceforge.net Betreff: Re: [OpenXPKI-users] Problems with setup (democa) Hi Stefan, Am 20.12.21 um 21:43 schrieb Stefan Weigel: > >>> When changing to "Manage Secrets" I get >>> "Unknown error (crypto secret plain setsecret missing part)" >> This basically means you broke the secret/crypto config - check the >> "secret" sections in your realm and system crypto.yaml > I used the democa (https://github.com/openxpki/openxpki-config) without > changes to the mentioned file. Can you set the item "secret.ratoken.value" to a fixed value (remove the @ symbol and put a string there) and see if this solves the problem? Looks like tThere is an incomplete setup in the sample files. >>> Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem >>> get's >>> created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem + >>> /etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the >>> dir: >>> from /etc/openxpki/config.d/realm/democa/crypto.yaml: >>> [..] >>> ca-signer: >>> inherit: default >>> key_store: DATAPOOL >>> key: "[% ALIAS %]" >>> >>> vault: >>> inherit: default >>> key: /etc/openxpki/local/keys/[% ALIAS %].pem >>> [..] >>> >>> for vault there is a absolute path, ca-signer is only specified >>> with >>> alias. Why? >> With "key_store: DATAPOOL" you tell the system to store the key in >> the >> internal database, as the vault is used to encrypt the datapool you >> can >> not store the vault itself in the datapool so it remains as a file on >> disk. >> > I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I > can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the > private key located? The keys are wrapped into a PKCS7 containe - look for something where the namespace column has a value of sys.crypto.keys Oliver -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users smime.p7s Description: S/MIME cryptographic signature ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Stefan, Am 20.12.21 um 21:43 schrieb Stefan Weigel: > >>> When changing to "Manage Secrets" I get >>> "Unknown error (crypto secret plain setsecret missing part)" >> This basically means you broke the secret/crypto config - check the >> "secret" sections in your realm and system crypto.yaml > I used the democa (https://github.com/openxpki/openxpki-config) without > changes to the mentioned file. Can you set the item "secret.ratoken.value" to a fixed value (remove the @ symbol and put a string there) and see if this solves the problem? Looks like tThere is an incomplete setup in the sample files. >>> Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem >>> get's >>> created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem + >>> /etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the >>> dir: >>> from /etc/openxpki/config.d/realm/democa/crypto.yaml: >>> [..] >>> ca-signer: >>> inherit: default >>> key_store: DATAPOOL >>> key: "[% ALIAS %]" >>> >>> vault: >>> inherit: default >>> key: /etc/openxpki/local/keys/[% ALIAS %].pem >>> [..] >>> >>> for vault there is a absolute path, ca-signer is only specified >>> with >>> alias. Why? >> With "key_store: DATAPOOL" you tell the system to store the key in >> the >> internal database, as the vault is used to encrypt the datapool you >> can >> not store the vault itself in the datapool so it remains as a file on >> disk. >> > I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I > can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the > private key located? The keys are wrapped into a PKCS7 containe - look for something where the namespace column has a value of sys.crypto.keys Oliver -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hi Oliver, Am Montag, dem 20.12.2021 um 11:09 +0100 schrieb Oliver Welter: > Hello Stefan, > > Am 20.12.21 um 08:04 schrieb Stefan Weigel: > > Debian buster > > OpenXPKI 3.6.1 (via git clone) > I hope this is a typo and you are on 3.16.1... You're right, it is 3.16.0 > > I tried with openxpki.git/vagrant/debian/setup-dummy.sh to setup > > MariaDB & democa stuff. > > > > Via raop in WebGUI I'm getting: > > "Your system status is critical!" -> Watchdog..Not Running! > I saw this recently with systemd also, I guess that is a false alarm > - > check with "ps" if there is a watchdog process. ps tells me it's running. > > When changing to "Manage Secrets" I get > > "Unknown error (crypto secret plain setsecret missing part)" > > This basically means you broke the secret/crypto config - check the > "secret" sections in your realm and system crypto.yaml I used the democa (https://github.com/openxpki/openxpki-config) without changes to the mentioned file. > > > > Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem > > get's > > created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem + > > /etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the > > dir: > > from /etc/openxpki/config.d/realm/democa/crypto.yaml: > > [..] > > ca-signer: > > inherit: default > > key_store: DATAPOOL > > key: "[% ALIAS %]" > > > > vault: > > inherit: default > > key: /etc/openxpki/local/keys/[% ALIAS %].pem > > [..] > > > > for vault there is a absolute path, ca-signer is only specified > > with > > alias. Why? > > With "key_store: DATAPOOL" you tell the system to store the key in > the > internal database, as the vault is used to encrypt the datapool you > can > not store the vault itself in the datapool so it remains as a file on > disk. > I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the private key located? > Oliver > > Thanks and best regards, Stefan > > smime.p7s Description: S/MIME cryptographic signature ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Problems with setup (democa)
Hello Stefan, Am 20.12.21 um 08:04 schrieb Stefan Weigel: > Debian buster > OpenXPKI 3.6.1 (via git clone) I hope this is a typo and you are on 3.16.1... > I tried with openxpki.git/vagrant/debian/setup-dummy.sh to setup > MariaDB & democa stuff. > > Via raop in WebGUI I'm getting: > "Your system status is critical!" -> Watchdog..Not Running! I saw this recently with systemd also, I guess that is a false alarm - check with "ps" if there is a watchdog process. > When changing to "Manage Secrets" I get > "Unknown error (crypto secret plain setsecret missing part)" This basically means you broke the secret/crypto config - check the "secret" sections in your realm and system crypto.yaml > Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem get's > created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem + > /etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the dir: > from /etc/openxpki/config.d/realm/democa/crypto.yaml: > [..] > ca-signer: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]" > > vault: > inherit: default > key: /etc/openxpki/local/keys/[% ALIAS %].pem > [..] > > for vault there is a absolute path, ca-signer is only specified with > alias. Why? With "key_store: DATAPOOL" you tell the system to store the key in the internal database, as the vault is used to encrypt the datapool you can not store the vault itself in the datapool so it remains as a file on disk. Oliver -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Problems with setup (democa)
Hi list,
I'm trying currently to get a working setup of OpenXPKI up and running.
System:
Debian buster
OpenXPKI 3.6.1 (via git clone)
I tried with openxpki.git/vagrant/debian/setup-dummy.sh to setup
MariaDB & democa stuff.
Via raop in WebGUI I'm getting:
"Your system status is critical!" -> Watchdog..Not Running!
When changing to "Manage Secrets" I get
"Unknown error (crypto secret plain setsecret missing part)"
via openxpkid.log:
2021/12/17 13:21:46 DEBUG Session resumed [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG Changing session state from
SESSION_ID_SENT_FROM_CONTINUE to MAIN_LOOP [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG Executing command get_secrets
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG Loading 105 API plugins [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Profile::Util: does not have role
OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Profile/Util.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Workflow::Util: does not have role
OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Workflow/Util.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Crypto::password_quality::Validate:
does not have role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Crypto/password_quality/V
alidate.pm) [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Crypto::password_quality::CheckEntropyR
ole: does not have role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Crypto/password_quality/C
heckEntropyRole.pm) [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Datapool::Util: does not have role
OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Datapool/Util.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Api::Util::ModuleFinder: does not have
role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Api/Util/ModuleFinder.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Token::Util: does not have role
OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Token/Util.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Cert::DateCondition: does not have role
OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Cert/DateCondition.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Api::Util::PodPOMView: does not have
role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Api/Util/PodPOMView.pm)
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Crypto::password_quality::CheckStandard
Role: does not have role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Crypto/password_quality/C
heckStandardRole.pm) [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Crypto::password_quality::CheckLegacyRo
le: does not have role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Crypto/password_quality/C
heckLegacyRole.pm) [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API - ignore
OpenXPKI::Server::API2::Plugin::Crypto::password_quality::TopPasswords:
does not have role OpenXPKI::Server::API2::PluginRole
(/usr/share/perl5/OpenXPKI/Server/API2/Plugin/Crypto/password_quality/T
opPasswords.pm) [pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG API call to 'get_secrets' [pid=8576|sid=hQke]
2021/12/17 13:21:46 ERROR
I18N_OPENXPKI_CRYPTO_SECRET_PLAIN_SETSECRET_MISSING_PART
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG Sending error $VAR1 = {
'CLASS' => 'OpenXPKI::Exception',
'LABEL' =>
'I18N_OPENXPKI_CRYPTO_SECRET_PLAIN_SETSECRET_MISSING_PART',
'PARAMS' => {}
};
[pid=8576|sid=hQke]
2021/12/17 13:21:46 DEBUG Changing session state from MAIN_LOOP to NEW
[pid=8576|]
Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem get's
created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem +
/etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the dir:
"When provided, the system tries to copy the key data contained in the
given file to the location defined in the token configuration. The
token
configuration is read from the OpenXPKI server process via the socket
using the System stack to authenticate. Therefore this requires that
the
daemon is up and allows access to the I call for the
default System user (this configuration is currently hardcoded and can
not be changed)."
from /etc/openxpki/config.d/realm/democa/crypto.yaml:
[..]
ca-signer:
inherit: default
key_store:
