Re: [OpenXPKI-users] Questions about publishing CRL and use san_email
Hi, > My further test shows that CDP works correctly if the director is owned by > openxpki user. > Previous it was owned by apache user/group with group writeable permission. > openxpki > user is a member of apache group. This did not work. I am not sure why, > likely because > the perl module does not honor the supplementary group permission. This is expected behaviour: the group assignments in /etc/group are ignored by the OpenXPKI server process. The reason is that the Net::Server base class we use in OpenXPKI requires explicit configuration of the Unix user and group to assume when daemonizing the server on startup, and it can also only assume one single group membership. See user and group in https://metacpan.org/dist/Net-Server/view/lib/Net/Server.pod#user So you should make sure that you plan a proper user/group/permission scheme for your runtime environment and allow write access for the configured Daemon user or group. Hope this helps, cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Questions about publishing CRL and use san_email
Hi Oliver, My further test shows that CDP works correctly if the director is owned by openxpki user. Previous it was owned by apache user/group with group writeable permission. openxpki user is a member of apache group. This did not work. I am not sure why, likely because the perl module does not honor the supplementary group permission. Thank you very much. Lixin. From: Oliver Welter Reply-To: "openxpki-users@lists.sourceforge.net" Date: Wednesday, February 22, 2023 at 9:39 AM To: "openxpki-users@lists.sourceforge.net" Subject: Re: [OpenXPKI-users] Questions about publishing CRL and use san_email Hi Lixin, please make individual posts per question - thats easier to follow up :) Regarding the CRL publishing that sounds like your path does not exist or is not writable. The "advanced" style is a leftover from a very old config setup and was never really supported by the 3.x release - it is left there mainly as a reference and you are right, the san_email template is missing in the configuration. The suggested way is to use a matching template in the subject section which looks like you already did. Oliver On 21.02.23 22:02, Lixin Liu wrote: Hi, Questions about setting up openxpki. First, I can issue CRL correctly, but I am unable to publish it (to local directory). Here is the log: 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL executed 'global_noop' (autorun) in state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL changed from state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 executed 'global_tmp_queue_next_item' (autorun) in state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 changed from state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Publication failed for target crl, requeuing [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 paused at action crl_publish_crl, cause: I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Action crl_publish_crl paused (I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION), wakeup 2023-02-21T20:37:52 [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 OpenXPKI.Server.Workflow.ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] In publishing.yaml, I have crl: crl@: connector:publishing.connectors.cdp connectors: cdp: class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]" The second question is about SAN email configuration: Following the “05_advanced_style” example in sample.yaml, I defined san_email, but it failed to recognize email address. From what I can see “san_email” is not defined in profile template. I can work around the issue by adding email to ui subject and then set to subject -> san -> email. Is there a plan to fix this in the future, or this is the proper way doing it. Thanks! Lixin. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net<mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Questions about publishing CRL and use san_email
Hi Lixin, please make individual posts per question - thats easier to follow up :) Regarding the CRL publishing that sounds like your path does not exist or is not writable. The "advanced" style is a leftover from a very old config setup and was never really supported by the 3.x release - it is left there mainly as a reference and you are right, the san_email template is missing in the configuration. The suggested way is to use a matching template in the subject section which looks like you already did. Oliver On 21.02.23 22:02, Lixin Liu wrote: Hi, Questions about setting up openxpki. First, I can issue CRL correctly, but I am unable to publish it (to local directory). Here is the log: 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL executed 'global_noop' (autorun) in state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL changed from state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 executed 'global_tmp_queue_next_item' (autorun) in state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 changed from state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Publication failed for target crl, requeuing [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 paused at action crl_publish_crl, cause: I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Action crl_publish_crl paused (I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION), wakeup 2023-02-21T20:37:52 [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 OpenXPKI.Server.Workflow.ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] In publishing.yaml, I have crl: crl@: connector:publishing.connectors.cdp connectors: cdp: class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]" The second question is about SAN email configuration: Following the “05_advanced_style” example in sample.yaml, I defined san_email, but it failed to recognize email address. From what I can see “san_email” is not defined in profile template. I can work around the issue by adding email to ui subject and then set to subject -> san -> email. Is there a plan to fix this in the future, or this is the proper way doing it. Thanks! Lixin. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Questions about publishing CRL and use san_email
After tunning the log level to DEBUG, I managed to find out why publish CRL failed. For some reason, the Connector::Builtin::File::Path module is unable to create a new file: 2023/02/22 08:21:42 767 Publishing to 'publishing.crl.crl.Grid Canada Certificate Authority 2' failed: Unable to open file for writing at /usr/local/share/perl5/5.32/Connector/Builtin/File/Path.pm line 156, line 1. If I touch the CRL file first, I am able to public the new CRL. Cheers, Lixin. From: Lixin Liu Date: Tuesday, February 21, 2023 at 1:02 PM To: "openxpki-users@lists.sourceforge.net" Subject: Questions about publishing CRL and use san_email Hi, Questions about setting up openxpki. First, I can issue CRL correctly, but I am unable to publish it (to local directory). Here is the log: 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL executed 'global_noop' (autorun) in state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL changed from state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 executed 'global_tmp_queue_next_item' (autorun) in state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 changed from state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Publication failed for target crl, requeuing [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 paused at action crl_publish_crl, cause: I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Action crl_publish_crl paused (I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION), wakeup 2023-02-21T20:37:52 [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 OpenXPKI.Server.Workflow.ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] In publishing.yaml, I have crl: crl@: connector:publishing.connectors.cdp connectors: cdp: class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]" The second question is about SAN email configuration: Following the “05_advanced_style” example in sample.yaml, I defined san_email, but it failed to recognize email address. From what I can see “san_email” is not defined in profile template. I can work around the issue by adding email to ui subject and then set to subject -> san -> email. Is there a plan to fix this in the future, or this is the proper way doing it. Thanks! Lixin. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Questions about publishing CRL and use san_email
Hi, Questions about setting up openxpki. First, I can issue CRL correctly, but I am unable to publish it (to local directory). Here is the log: 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL executed 'global_noop' (autorun) in state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL changed from state 'LOAD_NEXT_CA' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 executed 'global_tmp_queue_next_item' (autorun) in state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 changed from state 'PUBLISH_CRL' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Publication failed for target crl, requeuing [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.workflow.INFO Workflow 255/crl_issuance/PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0 paused at action crl_publish_crl, cause: I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 openxpki.application.INFO Action crl_publish_crl paused (I18N_OPENXPKI_UI_ERROR_DURING_PUBLICATION), wakeup 2023-02-21T20:37:52 [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] 2023/02/21 12:37:37 OpenXPKI.Server.Workflow.ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'PUBLISH_CRL_GLOBAL_TMP_QUEUE_NEXT_ITEM_0' [pid=5350|sid=zm60|wftype=crl_issuance|wfid=255] In publishing.yaml, I have crl: crl@: connector:publishing.connectors.cdp connectors: cdp: class: Connector::Builtin::File::Path LOCATION: /var/www/openxpki/CertEnroll/ file: "[% ARGS.0 %].crl" content: "[% pem %]" The second question is about SAN email configuration: Following the "05_advanced_style" example in sample.yaml, I defined san_email, but it failed to recognize email address. From what I can see "san_email" is not defined in profile template. I can work around the issue by adding email to ui subject and then set to subject -> san -> email. Is there a plan to fix this in the future, or this is the proper way doing it. Thanks! Lixin. ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
