Re: [PacketFence-users] Packetfence PKI setup

[Chris Vogel via PacketFence-users]

Hey Karl,

did you find anything out about your problem?

Am 24.04.24 um 16:53 schrieb Karl Peciulis via PacketFence-users:
140644003884032:error:0D0680A8:asn1 encoding 
routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
140644003884032:error:0D07803A:asn1 encoding 
routines:asn1_item_embed_d2i:nested asn1 
error:../crypto/asn1/tasn_dec.c:309:Type=X509



To me that seems like some sort of OpenSSL error. Any ideas on where to 
look next?


Reading your message again I thought this could be related to problems I 
had using the PF PKI (the problems could arrise using any PKI, but they 
were pitfalls for me when trying the PF PKI for the first time).


When I generated a CA certificate using the PF PKI I found that it would 
not be accepted for EAP-TLS. Testing the certificates (CA and client 
certificates) using `openssl verify` I found that the CA hasn't been 
accepted and therefor the client certificate has been invalid.


I changed my setup like this: created a CA independent of packetfence 
using openssl and checked on that. Then created from the PF CA 
certificate a signing request that I signed using my openssl CA. I 
imported my new CA certificate into the packetfence PKI.


Then I had CA-certificate (openssl CA), intermediate certificate 
(packetfence PKI CA). These CA certificates then were accepted for PFs 
radius server (configuration/ssl certificates) and the client 
certificates worked for EAP-TLS.


If your scep error is openssl complaining about the certificate you 
might see a related error in a different place than me.


Also I had to use `openssl` often with the `-legacy` option to get it 
accept a cert/csr from my PF PKI on which I used RSA/SHA256, because I 
had errors using eliptic curve when I started my testings and thought it 
would be a wise idea to get back to defaults.


To get rid of the rests of your tests in the PKI section of PF I deleted 
all the tables related to pki in the mysql database multiple times to 
start over. Do not forget to restart the PF PKI after changes - no 
matter whether on the web interface or directly inside the database.


Chris

--
Packetfence Matrix Room
https://matrix.to/#/%23packetfence:matrix.org


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence PKI setup

[Karl Peciulis via PacketFence-users]

Hello,

I am using Packetfense v13.1 ZEN setup and trying to set up EAP-TLS
wireless authentication using SCEP.

I am following the guide and when I get to the point to test the CA using
the sscep tool, I get the following error:

root@packetfence:/usr/local/pf/raddb/certs# sscep getca -u
http://10.7.69.59/scep/usr_crt -c ./ca-prefix -i MyPKI -v -d
sscep: starting sscep, version 0.9.0
sscep: new transaction
sscep: transaction id: SSCEP transactionId
sscep: hostname: 10.7.69.59
sscep: directory: scep/usr_crt
sscep: port: 80
sscep: SCEP_OPERATION_GETCAPS
sscep: scep request:
GET /scep/usr_crt?operation=GetCACaps HTTP/1.1
Host: 10.7.69.59
Connection: close
sscep: server response status code: 200, MIME header: text/plain
sscep: scep caps bitmask: 0x04bb
sscep: SCEP_OPERATION_GETCA
sscep: scep request:
GET /scep/usr_crt?operation=GetCACert=MyPKI HTTP/1.1
Host: 10.7.69.59
Connection: close
sscep: server response status code: 200, MIME header:
application/x-x509-ca-cert
sscep: valid response from server
140644003884032:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong
tag:../crypto/asn1/tasn_dec.c:1149:
140644003884032:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:309:Type=X509


To me that seems like some sort of OpenSSL error. Any ideas on where to
look next?

Thank you



--
Karl Peciulis
IT Infrastructure Specialist
KSD140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI and EAP-TLS

[Adrian Damaschek via PacketFence-users]

Hello,

I did have this error message today and what I figured out it means that the 
certificate presented by the radius server is not trusted by the client.

You either have to go to 

Config -> System Config -> SSL Certficates -> Radius 

And either replace the radius certificate with one that is generated by a CA 
that is trusted by the client, or you take the self-made CA that is there 
(should be called Example Certificate Authority), and make it so the client 
trusts that (would only recommend for testing).

Regards
Adrian


-Original Message-
From: Pieter Boelens via PacketFence-users 
 
Sent: Monday, 21 February 2022 14:17
To: packetfence-users@lists.sourceforge.net
Cc: Pieter Boelens 
Subject: Re: [PacketFence-users] Packetfence PKI and EAP-TLS

Hello,

Was a solution ever found for this issue? I have the exact same problem and 
have not been able to find a solution yet. 

When I copy paste the CA public key into Configuration → System Configuration → 
SSL Certificates → RADIUS → Edit, it returns the error “Failed verifying chain: 
error stdin: verification failed . Unable to fetch all the intermediates 
through the information contained in the certificate. You will have to upload 
the intermediate chain manually in x509 (Apache) format.” 

Could someone point me in the right direction?

Best regards,
Pieter

> -Oorspronkelijk bericht-
> 
> Hi Ludovic,
> 
> Thanks for your feedback. Indeed, that is what I was referring to.
> I tested both on Windows 10 and Android 10.
> This is what I did:
> 1. Generate a root CA using Integration > PKI > Certificate 
> Authorities 2. Copy the root CA to System Configuration > SSL 
> Certificates > Radius > Certificate Authority 3. Create a template 4. 
> Create a user cert based on this template 5. Export the cert to p12 
> (thus including the root ca) 6. Import the p12 to Windows/Android
> 
> Best regards,
> Thijs
> 
> Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit :
> 
> > Hello,
> >
> > eap_tls: TLS Alert read:fatal:unknown CA
> >
> > That error means that the client want to trust the Radius 
> > certificate that is installed on PAcketFence and does not trust his root CA.
> >
> > To avoid that error, you can first configure a good certificate on 
> > the PacketFence Radius service and trust his root CA / install the 
> > root CA on the testing device or you can ignore the certificate check.
> >
> > What’s the OS of your testing device ?
> >
> > Thanks,
> >
> >
> > Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww
> > .inverse.ca%2Fdata=04%7C01%7Cadrian.damaschek%40technicondesign
> > .com%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204
> > b1ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > p;sdata=5J6LzzzfjSde60KZkAG13IcSFjdOLkUT%2BlnhWjTjEsM%3Dreserve
> > d=0 Inverse inc. :: Leaders behind SOGo 
> > (https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fww
> > w.sogo.nu%2Fdata=04%7C01%7Cadrian.damaschek%40technicondesign.c
> > om%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1
> > ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> > 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > sdata=t0LlOJG8lnIBr3sSS7OdtJfgDGnAPv0Iy4yI7pRAJho%3Dreserved=0) 
> > and PacketFence
> > (https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpa
> > cketfence.org%2Fdata=04%7C01%7Cadrian.damaschek%40technicondesi
> > gn.com%7Cfb5f0a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c2
> > 04b1ab0c%7C1%7C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> > amp;sdata=dSllCShANX11GPJ%2FtwHpTDVoaHoOMkt%2BhZP4Ae0HBx8%3Dres
> > erved=0)
> >
> >
> >
> >
> >
> > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via 
> > PacketFence-users < packetfence-users@lists.sourceforge.net> wrote:
> >
> > Hi,
> >
> > For a while now, I'm trying to get EAP-TLS working on Packetfence 
> > using the built-in PKI.
> > I'm following the installation guide ( 
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
> > w.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23pf-p
> > kidata=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cfb5f0
> > a9c96484db94eb208d9f5498f6c%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7
> > C0%7C637810518558929496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
> &

Re: [PacketFence-users] Packetfence PKI and EAP-TLS

[Pieter Boelens via PacketFence-users]

Hello,

Was a solution ever found for this issue? I have the exact same problem and 
have not been able to find a solution yet. 

When I copy paste the CA public key into Configuration → System Configuration → 
SSL Certificates → RADIUS
→ Edit, it returns the error “Failed verifying chain: error stdin: verification 
failed . Unable to fetch all the intermediates through the information 
contained in the certificate. You will have to upload the intermediate chain 
manually in x509 (Apache) format.” 

Could someone point me in the right direction?

Best regards,
Pieter

> -Oorspronkelijk bericht-
> 
> Hi Ludovic,
> 
> Thanks for your feedback. Indeed, that is what I was referring to.
> I tested both on Windows 10 and Android 10.
> This is what I did:
> 1. Generate a root CA using Integration > PKI > Certificate Authorities
> 2. Copy the root CA to System Configuration > SSL Certificates > Radius >
> Certificate Authority
> 3. Create a template
> 4. Create a user cert based on this template
> 5. Export the cert to p12 (thus including the root ca)
> 6. Import the p12 to Windows/Android
> 
> Best regards,
> Thijs
> 
> Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit :
> 
> > Hello,
> >
> > eap_tls: TLS Alert read:fatal:unknown CA
> >
> > That error means that the client want to trust the Radius certificate that
> > is installed on PAcketFence and does not trust his root CA.
> >
> > To avoid that error, you can first configure a good certificate on the
> > PacketFence Radius service and trust his root CA / install the root CA on
> > the testing device or you can ignore the certificate check.
> >
> > What’s the OS of your testing device ?
> >
> > Thanks,
> >
> >
> > Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
> > www.inverse.ca
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu/) and PacketFence
> > (http://packetfence.org/)
> >
> >
> >
> >
> >
> > On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users <
> > packetfence-users@lists.sourceforge.net> wrote:
> >
> > Hi,
> >
> > For a while now, I'm trying to get EAP-TLS working on Packetfence using
> > the built-in PKI.
> > I'm following the installation guide (
> > https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki),
> > but I think I'm still missing something, or doing something wrong:
> >
> > The guide mentions:
> > *Once done copy the certificate in the clipboard from the Certificate
> > Authorities list (Configuration → Integration → PKI → Certificate
> > Authorities and click on Copy Certificate) then edit the RADIUS certificate
> > section in Configuration → Systen Configuration → SSL Certificates → RADIUS
> > → Edit and paste the public key in "Certificate Authority" and Save. (Don’t
> > forget to restart radiusd-auth)*
> >
> > However, this makes the RADIUS certificate chain invalid:
> > *Failed verifying chain: error stdin: verification failed . Ensure the
> > intermediates certificate file you provided contains all the intermediate
> > certificate authorities in x509 (Apache) format.*
> >
> > Indeed, I can only connect using a generated certificate when choosing not
> > to validate the CA on the end-device. When I ask to verify the CA, this is
> > the error I get in radius.log:
> >
> >
> >
> >
> >
> > *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert
> > read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls:
> > ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01
> > auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan
> 14
> > 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user:
> > Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect
> > (eap_tls: TLS Alert read:fatal:unknown CA): [] (from client
> > X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)*
> >
> > I tried this on PF 10.0.1 and 10.2.0, same behavior.
> >
> > Any ideas?
> >
> > Thanks!
> > Thijs
> >
> >
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI and EAP-TLS

[Thijs Vandecasteele via PacketFence-users]

Hi Ludovic,

Thanks for your feedback. Indeed, that is what I was referring to.
I tested both on Windows 10 and Android 10.
This is what I did:
1. Generate a root CA using Integration > PKI > Certificate Authorities
2. Copy the root CA to System Configuration > SSL Certificates > Radius >
Certificate Authority
3. Create a template
4. Create a user cert based on this template
5. Export the cert to p12 (thus including the root ca)
6. Import the p12 to Windows/Android

Best regards,
Thijs

Op ma 1 feb. 2021 om 17:34 schreef Ludovic Zammit :

> Hello,
>
> eap_tls: TLS Alert read:fatal:unknown CA
>
> That error means that the client want to trust the Radius certificate that
> is installed on PAcketFence and does not trust his root CA.
>
> To avoid that error, you can first configure a good certificate on the
> PacketFence Radius service and trust his root CA / install the root CA on
> the testing device or you can ignore the certificate check.
>
> What’s the OS of your testing device ?
>
> Thanks,
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
> On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi,
>
> For a while now, I'm trying to get EAP-TLS working on Packetfence using
> the built-in PKI.
> I'm following the installation guide (
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki),
> but I think I'm still missing something, or doing something wrong:
>
> The guide mentions:
> *Once done copy the certificate in the clipboard from the Certificate
> Authorities list (Configuration → Integration → PKI → Certificate
> Authorities and click on Copy Certificate) then edit the RADIUS certificate
> section in Configuration → Systen Configuration → SSL Certificates → RADIUS
> → Edit and paste the public key in "Certificate Authority" and Save. (Don’t
> forget to restart radiusd-auth)*
>
> However, this makes the RADIUS certificate chain invalid:
> *Failed verifying chain: error stdin: verification failed . Ensure the
> intermediates certificate file you provided contains all the intermediate
> certificate authorities in x509 (Apache) format.*
>
> Indeed, I can only connect using a generated certificate when choosing not
> to validate the CA on the end-device. When I ask to verify the CA, this is
> the error I get in radius.log:
>
>
>
>
>
> *Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert
> read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls:
> ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01
> auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan 14
> 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user:
> Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect
> (eap_tls: TLS Alert read:fatal:unknown CA): [] (from client
> X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)*
>
> I tried this on PF 10.0.1 and 10.2.0, same behavior.
>
> Any ideas?
>
> Thanks!
> Thijs
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI add SAN

[Thomas Michel via PacketFence-users]

Hi Ludovic,


did you find out anything?


Thanks,

Tom.

Am 07.12.2020 um 15:32 schrieb Ludovic Zammit:
I’m actually testing it and I will let you know what we can do about 
that.


Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) 
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)




On Dec 7, 2020, at 9:29 AM, <mailto:t...@michel.ruhr>> mailto:t...@michel.ruhr>> 
wrote:


Hi,
yes, Root CA is installed. But modern browsers require the servername 
o be present in the SAN as well as in the CN. MS Edge displays a 
NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is’n present, 
Firefox refuses to connect. This seems to be the normal behaviour 
not, seeSupport for commonName matching in Certificates - Chrome 
Platform Status (chromestatus.com) 
<https://www.chromestatus.com/feature/4981025180483584>for example.

Regards,
Tom.
*Von:*Ludovic Zammit mailto:lzam...@inverse.ca>>
*Gesendet:*Montag, 7. Dezember 2020 14:56
*An:*packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>

*Cc:*t...@michel.ruhr
*Betreff:*Re: [PacketFence-users] Packetfence PKI add SAN
Hello Tom,
Which browsers? Did you install the PacketFence PKI Root CA on the 
testing device?
Because without the Root Ca installed on either device, it would not 
be able to trust the certificate issued by the PacketFence PKI and 
also the chain.

Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 
(x145) :: www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
<http://www.sogo.nu/>) and PacketFence (http://packetfence.org 
<http://packetfence.org/>)





On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hi,
I am using Packetfence 10.2 and have configured the internal PKI to 
deploy certificates to clients which works fine. I thought I’ld use 
the PKI also to create certificates for internal Web Servers. This 
works in general but Browsers show errors as no SAM is given in the 
certificate. Is there a way to add SANs to the certificate?

Thanks,
Tom.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users 
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>




OpenPGP_0x8049779A866B418C.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI and EAP-TLS

[Ludovic Zammit via PacketFence-users]

Hello,

eap_tls: TLS Alert read:fatal:unknown CA

That error means that the client want to trust the Radius certificate that is 
installed on PAcketFence and does not trust his root CA.

To avoid that error, you can first configure a good certificate on the 
PacketFence Radius service and trust his root CA / install the root CA on the 
testing device or you can ignore the certificate check.

What’s the OS of your testing device ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jan 30, 2021, at 8:40 AM, Thijs Vandecasteele via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> For a while now, I'm trying to get EAP-TLS working on Packetfence using the 
> built-in PKI.
> I'm following the installation guide 
> (https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki 
> ),
>  but I think I'm still missing something, or doing something wrong:
> 
> The guide mentions:
> Once done copy the certificate in the clipboard from the Certificate 
> Authorities list (Configuration → Integration → PKI → Certificate Authorities 
> and click on Copy Certificate) then edit the RADIUS certificate section in 
> Configuration → Systen Configuration → SSL Certificates → RADIUS → Edit and 
> paste the public key in "Certificate Authority" and Save. (Don’t forget to 
> restart radiusd-auth)
> 
> However, this makes the RADIUS certificate chain invalid:
> Failed verifying chain: error stdin: verification failed . Ensure the 
> intermediates certificate file you provided contains all the intermediate 
> certificate authorities in x509 (Apache) format.
> 
> Indeed, I can only connect using a generated certificate when choosing not to 
> validate the CA on the end-device. When I ask to verify the CA, this is the 
> error I get in radius.log:
> 
> Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert 
> read:fatal:unknown CA
> Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS_accept: 
> Failed in unknown state
> Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: Failed in 
> __FUNCTION__ (SSL_read)
> Jan 14 21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected 
> user: 
> Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect (eap_tls: TLS 
> Alert read:fatal:unknown CA): [] (from client X.X.X.X/X port 0 cli 
> xx:xx:xx:xx:xx:xx)
> 
> I tried this on PF 10.0.1 and 10.2.0, same behavior.
> 
> Any ideas?
> 
> Thanks!
> Thijs
> 
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence PKI and EAP-TLS

[Thijs Vandecasteele via PacketFence-users]

Hi,

For a while now, I'm trying to get EAP-TLS working on Packetfence using the
built-in PKI.
I'm following the installation guide (
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki),
but I think I'm still missing something, or doing something wrong:

The guide mentions:
*Once done copy the certificate in the clipboard from the Certificate
Authorities list (Configuration → Integration → PKI → Certificate
Authorities and click on Copy Certificate) then edit the RADIUS certificate
section in Configuration → Systen Configuration → SSL Certificates → RADIUS
→ Edit and paste the public key in "Certificate Authority" and Save. (Don’t
forget to restart radiusd-auth)*

However, this makes the RADIUS certificate chain invalid:
*Failed verifying chain: error stdin: verification failed . Ensure the
intermediates certificate file you provided contains all the intermediate
certificate authorities in x509 (Apache) format.*

Indeed, I can only connect using a generated certificate when choosing not
to validate the CA on the end-device. When I ask to verify the CA, this is
the error I get in radius.log:





*Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls: ERROR: TLS Alert
read:fatal:unknown CAJan 14 21:36:26 AS01NAC01 auth[24562]: (1208) eap_tls:
ERROR: TLS_accept: Failed in unknown stateJan 14 21:36:26 AS01NAC01
auth[24562]: (1208) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)Jan 14
21:36:26 AS01NAC01 auth[24562]: [mac:xx:xx:xx:xx:xx:xx:xx] Rejected user:
Jan 14 21:36:26 AS01NAC01 auth[24562]: (1208) Login incorrect
(eap_tls: TLS Alert read:fatal:unknown CA): [] (from client
X.X.X.X/X port 0 cli xx:xx:xx:xx:xx:xx)*

I tried this on PF 10.0.1 and 10.2.0, same behavior.

Any ideas?

Thanks!
Thijs
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI add SAN

[tom--- via PacketFence-users]

Hi Ludovic,

 

thanks. I did some digging around in the code of my Packetfence installation 
and found a file called models.go under go/caddy/pfpki. In there it looks like 
the certificate is being created. Looking at the Golang documentation for 
x509.CreateCertificate it seems there can be an array “DNSNames” be added to 
the certificate. Probably it would be an option to copy the CN into that array?

 

I don’t know how the certificate generation works in PF to be honest, it’s just 
a wild guess 

 

Regards,

Tom.

 

Von: Ludovic Zammit  
Gesendet: Montag, 7. Dezember 2020 15:32
An: t...@michel.ruhr
Cc: packetfence-users@lists.sourceforge.net
Betreff: Re: [PacketFence-users] Packetfence PKI add SAN

 

I’m actually testing it and I will let you know what we can do about that.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Dec 7, 2020, at 9:29 AM, mailto:t...@michel.ruhr> > 
mailto:t...@michel.ruhr> > wrote:

 

Hi,

 

yes, Root CA is installed. But modern browsers require the servername o be 
present in the SAN as well as in the CN. MS Edge displays a 
NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is’n present, Firefox 
refuses to connect. This seems to be the normal behaviour not, see  
<https://www.chromestatus.com/feature/4981025180483584> Support for commonName 
matching in Certificates - Chrome Platform Status (chromestatus.com) for 
example.

 

Regards,

Tom.

 

Von: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Gesendet: Montag, 7. Dezember 2020 14:56
An: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: t...@michel.ruhr <mailto:t...@michel.ruhr> 
Betreff: Re: [PacketFence-users] Packetfence PKI add SAN

 

Hello Tom,

 

Which browsers? Did you install the PacketFence PKI Root CA on the testing 
device?

 

Because without the Root Ca installed on either device, it would not be able to 
trust the certificate issued by the PacketFence PKI and also the chain.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca/> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/> ) 
and PacketFence (http://packetfence.org <http://packetfence.org/> ) 

 











On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Hi,

 

I am using Packetfence 10.2 and have configured the internal PKI to deploy 
certificates to clients which works fine. I thought I’ld use the PKI also to 
create certificates for internal Web Servers. This works in general but 
Browsers show errors as no SAM is given in the certificate. Is there a way to 
add SANs to the certificate? 

 

Thanks,

Tom.

___
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI add SAN

[tom--- via PacketFence-users]

Hi,

 

yes, Root CA is installed. But modern browsers require the servername o be 
present in the SAN as well as in the CN. MS Edge displays a 
NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is’n present, Firefox 
refuses to connect. This seems to be the normal behaviour not, see  
<https://www.chromestatus.com/feature/4981025180483584> Support for commonName 
matching in Certificates - Chrome Platform Status (chromestatus.com) for 
example.

 

Regards,

Tom.

 

Von: Ludovic Zammit  
Gesendet: Montag, 7. Dezember 2020 14:56
An: packetfence-users@lists.sourceforge.net
Cc: t...@michel.ruhr
Betreff: Re: [PacketFence-users] Packetfence PKI add SAN

 

Hello Tom,

 

Which browsers? Did you install the PacketFence PKI Root CA on the testing 
device?

 

Because without the Root Ca installed on either device, it would not be able to 
trust the certificate issued by the PacketFence PKI and also the chain.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Hi,

 

I am using Packetfence 10.2 and have configured the internal PKI to deploy 
certificates to clients which works fine. I thought I’ld use the PKI also to 
create certificates for internal Web Servers. This works in general but 
Browsers show errors as no SAM is given in the certificate. Is there a way to 
add SANs to the certificate? 

 

Thanks,

Tom.

___
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI add SAN

[Ludovic Zammit via PacketFence-users]

I’m actually testing it and I will let you know what we can do about that.

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org <http://packetfence.org/>) 




> On Dec 7, 2020, at 9:29 AM,   wrote:
> 
> Hi,
>  
> yes, Root CA is installed. But modern browsers require the servername o be 
> present in the SAN as well as in the CN. MS Edge displays a 
> NET::ERR_CERT_COMMON_NAME_INVALID error if the SAN is’n present, Firefox 
> refuses to connect. This seems to be the normal behaviour not, see Support 
> for commonName matching in Certificates - Chrome Platform Status 
> (chromestatus.com) <https://www.chromestatus.com/feature/4981025180483584> 
> for example.
>  
> Regards,
> Tom.
>  
> Von: Ludovic Zammit  
> Gesendet: Montag, 7. Dezember 2020 14:56
> An: packetfence-users@lists.sourceforge.net
> Cc: t...@michel.ruhr
> Betreff: Re: [PacketFence-users] Packetfence PKI add SAN
>  
> Hello Tom,
>  
> Which browsers? Did you install the PacketFence PKI Root CA on the testing 
> device?
>  
> Because without the Root Ca installed on either device, it would not be able 
> to trust the certificate issued by the PacketFence PKI and also the chain.
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org 
> <http://packetfence.org/>) 
>  
> 
> 
> 
> 
>> On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users 
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>  
>> Hi,
>>  
>> I am using Packetfence 10.2 and have configured the internal PKI to deploy 
>> certificates to clients which works fine. I thought I’ld use the PKI also to 
>> create certificates for internal Web Servers. This works in general but 
>> Browsers show errors as no SAM is given in the certificate. Is there a way 
>> to add SANs to the certificate? 
>>  
>> Thanks,
>> Tom.
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence PKI add SAN

[Ludovic Zammit via PacketFence-users]

Hello Tom,

Which browsers? Did you install the PacketFence PKI Root CA on the testing 
device?

Because without the Root Ca installed on either device, it would not be able to 
trust the certificate issued by the PacketFence PKI and also the chain.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Dec 7, 2020, at 6:36 AM, tom--- via PacketFence-users 
>  wrote:
> 
> Hi,
>  
> I am using Packetfence 10.2 and have configured the internal PKI to deploy 
> certificates to clients which works fine. I thought I’ld use the PKI also to 
> create certificates for internal Web Servers. This works in general but 
> Browsers show errors as no SAM is given in the certificate. Is there a way to 
> add SANs to the certificate? 
>  
> Thanks,
> Tom.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence PKI add SAN

[tom--- via PacketFence-users]

Hi,

 

I am using Packetfence 10.2 and have configured the internal PKI to deploy
certificates to clients which works fine. I thought I'ld use the PKI also to
create certificates for internal Web Servers. This works in general but
Browsers show errors as no SAM is given in the certificate. Is there a way
to add SANs to the certificate? 

 

Thanks,

Tom.

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence PKI still maintained?

[Brenek, Benjamin via PacketFence-users]

Hi All,

I was wondering if PacketFence PKI is still maintained? I am unable to get it 
to work on the instructions provided here: 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html.

I have tried all 3 distros, but none of them work and all error out due to 
missing dependencies from the PacketFence repo.

Any help in getting this up and running (if the project is still active) would 
be great.

Thank you,

Ben


Our employees' reviews made us a Best Place to 
Work
 in 2018 &2019!
Spread the word and earn a bonus by referring a 
friend.

[Compassion, Excellence, Reliability]

[Facebook] [Twitter]   
[LinkedIn]   [YouTube]  
 [Bayada] 

CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA 
and is protected by law. Do not forward, copy, or otherwise disclose to anyone 
unless permitted by BAYADA or required by law. If you are not the intended 
recipient, please notify the sender immediately.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence-PKI Installation Problems

[Simon Bone via PacketFence-users]

I'm attempting to install PacketFence-PKI on a Debian 8.11 Jessie but
running into problems.

I'm following 3.1.4 from the installation instructions (
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html) but
get the following error messages when running the apt-get command:

*command: *
sudo apt-get install packetfence-pki

*errors:*
Err http://inverse.ca/downloads/PacketFence/debian/ wheezy/wheezy
python-django-bootstrap3 all 5.4.0-1
  404  Not Found [IP: 192.95.20.194 80]
Err http://inverse.ca/downloads/PacketFence/debian/ wheezy/wheezy
packetfence-pki all 1.0.4
  404  Not Found [IP: 192.95.20.194 80]
Unable to correct missing packages.
E: Failed to fetch
http://inverse.ca/downloads/PacketFence/debian/pool/wheezy/d/django-bootstrap3/python-django-bootstrap3_5.4.0-1_all.deb
404  Not Found [IP: 192.95.20.194 80]

E: Failed to fetch
http://inverse.ca/downloads/PacketFence/debian/pool/wheezy/p/packetfence-pki/packetfence-pki_1.0.4_all.deb
404  Not Found [IP: 192.95.20.194 80]

E: Aborting install.

I found this post that discusses a similar issue but it doesn't appear to
have been resolved:
https://sourceforge.net/p/packetfence/mailman/message/35907472/

Any advice on how to workaround this issue would be greatly appreciated!

Thanks
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-PKI

[Rankin, Cory via PacketFence-users]

Hello Nicholas,

After reinstalling it I believe it does not start completely over? I cannot
login with the default credential.

 packetfence-pki noarch
 1.1.3-1.el7.centos packetfence-extra
   552 k

Transaction Summary
===
Reinstall  1 Package

Total download size: 552 k
Installed size: 1.3 M
Is this ok [y/d/N]: y
Downloading packages:
packetfence-pki-1.1.3-1.el7.centos.noarch.rpm
 | 552 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : packetfence-pki-1.1.3-1.el7.centos.noarch
   1/1
certificate exist do nothing
Database is there do nothing
Disabling SELinux...
setenforce: SELinux is disabled
FirewallD is not running
FirewallD is not running
  Verifying  : packetfence-pki-1.1.3-1.el7.centos.noarch
   1/1

Installed:
  packetfence-pki.noarch 0:1.1.3-1.el7.centos

On Mon, Mar 18, 2019 at 8:56 AM Nicolas Quiniou-Briand via
PacketFence-users  wrote:

> Hello,
>
> On 2019-03-15 9:35 p.m., Rankin, Cory via PacketFence-users wrote:
> > I think I need to start over on the PKI. What is the best way to start
> > over? I believe I deleted the only user (thought I was deleting an api
> > user).
>
> Try:
>
> yum reinstall packetfence-pki --enablerepo=packetfence,packetfence-extra
>
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca  ::  +1.514.447.4918 <(514)%20447-4918> *140  ::
> https://inverse.ca
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-PKI

[Nicolas Quiniou-Briand via PacketFence-users]

Hello,

On 2019-03-15 9:35 p.m., Rankin, Cory via PacketFence-users wrote:
I think I need to start over on the PKI. What is the best way to start 
over? I believe I deleted the only user (thought I was deleting an api 
user).


Try:

yum reinstall packetfence-pki --enablerepo=packetfence,packetfence-extra

--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-PKI

[Rankin, Cory via PacketFence-users]

Hello,

I think I need to start over on the PKI. What is the best way to start
over? I believe I deleted the only user (thought I was deleting an api
user).

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Durand fabrice via PacketFence-users]

Cory,

do the command in /usr/local/packetfence-pki/

Regards

Fabrice


Le 19-02-10 à 09 h 50, Rankin, Cory a écrit :

Fabrice,

When I went back to the GUI everything seemed okay. I tried that 
command but this is what I received:


# patch -p1 < /root/views.py.diff
(Stripping trailing CRs from patch; use --binary to disable.)
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|index b0a06cc..70b9af7 100644
|--- a/pki/views.py
|+++ b/pki/views.py
--


I have been proceeding with the instructions and everything seems okay 
at the moment.


Thanks,
Cory

On Sat, Feb 9, 2019 at 9:21 PM Durand fabrice > wrote:


Hello Cory,

can you try that

patch -p1 < views.py.diff

and restart the pki.


Le 19-02-09 à 21 h 13, Rankin, Cory a écrit :

Fabrice,

I've gotten to the last step of the GUI configuration and clicked
accept and I've reached

UnboundLocalError at /pki/init_wizard/
local variable 'profile' referenced before assignment
Exception Location:/usr/local/packetfence-pki/pki/views.py in
done, line 550

Could be because my django version is slightly different?

On Sat, Feb 9, 2019 at 8:57 PM Rankin, Cory
mailto:rank...@pitt.k12.nc.us>> wrote:

Fabrice,

I am able to get to the web GUI now after downgrading to
python-django-1.8.1-1.1.el7.noarch manually. pki manual may
need to be updated there and also to remove the space after
the comma in the pki install.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

Thank you for all your help
Cory


On Sat, Feb 9, 2019 at 8:41 PM Durand fabrice
mailto:fdur...@inverse.ca>> wrote:

Hello Cory,

it's probably coming from epel, try to remove it, disable
epel repo and retry, it should work.

I will try to support django-1.11.

Regards

Fabrice


Le 19-02-09 à 20 h 33, Rankin, Cory a écrit :

Fabrice,

Thank you for your reply.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.11.18-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python2-django-1.11.18-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

It seems it installed django-1.11.18-1 when I ran the
packetfence-pki install I will try to update.

On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via
PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Cory,

can you do rpm -qa|grep django


in ref what i have on my side:

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-3.1.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-3.1.noarch
python-django-bootstrap3-5.1.0-4.1.noarch


Regards

Fabrice


Le 19-02-08 à 19 h 45, Rankin, Cory via
PacketFence-users a écrit :

Hello,

Are the packetfence-pki instructions at

https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html outdated?


Under step 3.1.6. does not seem to work unless you
remove the space after "-extra, "
yum install packetfence-pki
--enablerepo=packetfence-extra, packetfence

After removing the space I can get it installed but
then I get a host of errors trying to get to the
GUI including 'Invalid HTTP_HOST header',
'ImportError: cannot import name lazy_property',
and 'ImportError: cannot import name patterns'

CentOS7, new installation of packetfence

Thanks

Message Sent from PCS GMail


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Rankin, Cory via PacketFence-users]

Fabrice,

When I went back to the GUI everything seemed okay. I tried that command
but this is what I received:

# patch -p1 < /root/views.py.diff
(Stripping trailing CRs from patch; use --binary to disable.)
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|index b0a06cc..70b9af7 100644
|--- a/pki/views.py
|+++ b/pki/views.py
--


I have been proceeding with the instructions and everything seems okay at
the moment.

Thanks,
Cory

On Sat, Feb 9, 2019 at 9:21 PM Durand fabrice  wrote:

> Hello Cory,
>
> can you try that
>
> patch -p1 < views.py.diff
>
> and restart the pki.
>
>
> Le 19-02-09 à 21 h 13, Rankin, Cory a écrit :
>
> Fabrice,
>
> I've gotten to the last step of the GUI configuration and clicked accept
> and I've reached
>
> UnboundLocalError at /pki/init_wizard/
> local variable 'profile' referenced before assignment
> Exception Location: /usr/local/packetfence-pki/pki/views.py in done, line
> 550
>
> Could be because my django version is slightly different?
>
> On Sat, Feb 9, 2019 at 8:57 PM Rankin, Cory 
> wrote:
>
>> Fabrice,
>>
>> I am able to get to the web GUI now after downgrading to 
>> python-django-1.8.1-1.1.el7.noarch
>> manually. pki manual may need to be updated there and also to remove the
>> space after the comma in the pki install.
>>
>> django-countries-5.0-4.1.noarch
>> python-django-rest-framework-3.1.1-16.1.noarch
>> python-django-tagging-0.3.6-5.1.noarch
>> python-django-bash-completion-1.8.1-1.el7.noarch
>> python2-django-formtools-1.0-4.1.noarch
>> python-django-1.8.1-1.el7.noarch
>> python-django-bootstrap3-5.1.0-4.1.noarch
>>
>> Thank you for all your help
>> Cory
>>
>>
>> On Sat, Feb 9, 2019 at 8:41 PM Durand fabrice  wrote:
>>
>>> Hello Cory,
>>>
>>> it's probably coming from epel, try to remove it, disable epel repo and
>>> retry, it should work.
>>>
>>> I will try to support django-1.11.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>> Le 19-02-09 à 20 h 33, Rankin, Cory a écrit :
>>>
>>> Fabrice,
>>>
>>> Thank you for your reply.
>>>
>>> django-countries-5.0-4.1.noarch
>>> python-django-rest-framework-3.1.1-16.1.noarch
>>> python-django-tagging-0.3.6-5.1.noarch
>>> python-django-bash-completion-1.11.18-1.el7.noarch
>>> python2-django-formtools-1.0-4.1.noarch
>>> python2-django-1.11.18-1.el7.noarch
>>> python-django-bootstrap3-5.1.0-4.1.noarch
>>>
>>> It seems it installed django-1.11.18-1 when I ran the packetfence-pki
>>> install I will try to update.
>>>
>>> On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Hello Cory,

 can you do rpm -qa|grep django


 in ref what i have on my side:

 django-countries-5.0-4.1.noarch
 python-django-rest-framework-3.1.1-16.1.noarch
 python-django-tagging-0.3.6-5.1.noarch
 python-django-bash-completion-1.8.1-3.1.noarch
 python2-django-formtools-1.0-4.1.noarch
 python-django-1.8.1-3.1.noarch
 python-django-bootstrap3-5.1.0-4.1.noarch


 Regards

 Fabrice


 Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users a écrit :

 Hello,

 Are the packetfence-pki instructions at
 https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
  outdated?

 Under step 3.1.6. does not seem to work unless you remove the space
 after "-extra, "
 yum install packetfence-pki --enablerepo=packetfence-extra, packetfence

 After removing the space I can get it installed but then I get a host
 of errors trying to get to the GUI including 'Invalid HTTP_HOST header',
 'ImportError: cannot import name lazy_property', and 'ImportError: cannot
 import name patterns'

 CentOS7, new installation of packetfence

 Thanks

 Message Sent from PCS GMail


 ___
 PacketFence-users mailing 
 listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users

 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

>>>
>>> Message Sent from PCS GMail
>>>
>>>
> Message Sent from PCS GMail
>
>

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Durand fabrice via PacketFence-users]

Hello Cory,

can you try that

patch -p1 < views.py.diff

and restart the pki.


Le 19-02-09 à 21 h 13, Rankin, Cory a écrit :

Fabrice,

I've gotten to the last step of the GUI configuration and clicked 
accept and I've reached


UnboundLocalError at /pki/init_wizard/
local variable 'profile' referenced before assignment
Exception Location:/usr/local/packetfence-pki/pki/views.py in done, 
line 550


Could be because my django version is slightly different?

On Sat, Feb 9, 2019 at 8:57 PM Rankin, Cory > wrote:


Fabrice,

I am able to get to the web GUI now after downgrading to
python-django-1.8.1-1.1.el7.noarch manually. pki manual may need
to be updated there and also to remove the space after the comma
in the pki install.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

Thank you for all your help
Cory


On Sat, Feb 9, 2019 at 8:41 PM Durand fabrice mailto:fdur...@inverse.ca>> wrote:

Hello Cory,

it's probably coming from epel, try to remove it, disable epel
repo and retry, it should work.

I will try to support django-1.11.

Regards

Fabrice


Le 19-02-09 à 20 h 33, Rankin, Cory a écrit :

Fabrice,

Thank you for your reply.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.11.18-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python2-django-1.11.18-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

It seems it installed django-1.11.18-1 when I ran the
packetfence-pki install I will try to update.

On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Cory,

can you do rpm -qa|grep django


in ref what i have on my side:

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-3.1.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-3.1.noarch
python-django-bootstrap3-5.1.0-4.1.noarch


Regards

Fabrice


Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users
a écrit :

Hello,

Are the packetfence-pki instructions at

https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html outdated?


Under step 3.1.6. does not seem to work unless you
remove the space after "-extra, "
yum install packetfence-pki
--enablerepo=packetfence-extra, packetfence

After removing the space I can get it installed but then
I get a host of errors trying to get to the GUI
including 'Invalid HTTP_HOST header', 'ImportError:
cannot import name lazy_property', and 'ImportError:
cannot import name patterns'

CentOS7, new installation of packetfence

Thanks

Message Sent from PCS GMail


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users


Message Sent from PCS GMail



Message Sent from PCS GMail
index b0a06cc..70b9af7 100644
--- a/pki/views.py
+++ b/pki/views.py
@@ -547,7 +547,7 @@ class InitWizard(SessionWizardView):
 if serializer3.is_valid():
 serializer3.save()
 profile = CertProfile.objects.get(name=str(profile_client_data['name']))
-rest_data['profile'] = profile.name
+rest_data['profile'] = profile.name
 serializer4 = restSerializer(data=rest_data)
 if serializer4.is_valid():
 serializer4.save()

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Rankin, Cory via PacketFence-users]

Fabrice,

I've gotten to the last step of the GUI configuration and clicked accept
and I've reached

UnboundLocalError at /pki/init_wizard/
local variable 'profile' referenced before assignment
Exception Location: /usr/local/packetfence-pki/pki/views.py in done, line
550

Could be because my django version is slightly different?

On Sat, Feb 9, 2019 at 8:57 PM Rankin, Cory  wrote:

> Fabrice,
>
> I am able to get to the web GUI now after downgrading to 
> python-django-1.8.1-1.1.el7.noarch
> manually. pki manual may need to be updated there and also to remove the
> space after the comma in the pki install.
>
> django-countries-5.0-4.1.noarch
> python-django-rest-framework-3.1.1-16.1.noarch
> python-django-tagging-0.3.6-5.1.noarch
> python-django-bash-completion-1.8.1-1.el7.noarch
> python2-django-formtools-1.0-4.1.noarch
> python-django-1.8.1-1.el7.noarch
> python-django-bootstrap3-5.1.0-4.1.noarch
>
> Thank you for all your help
> Cory
>
>
> On Sat, Feb 9, 2019 at 8:41 PM Durand fabrice  wrote:
>
>> Hello Cory,
>>
>> it's probably coming from epel, try to remove it, disable epel repo and
>> retry, it should work.
>>
>> I will try to support django-1.11.
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 19-02-09 à 20 h 33, Rankin, Cory a écrit :
>>
>> Fabrice,
>>
>> Thank you for your reply.
>>
>> django-countries-5.0-4.1.noarch
>> python-django-rest-framework-3.1.1-16.1.noarch
>> python-django-tagging-0.3.6-5.1.noarch
>> python-django-bash-completion-1.11.18-1.el7.noarch
>> python2-django-formtools-1.0-4.1.noarch
>> python2-django-1.11.18-1.el7.noarch
>> python-django-bootstrap3-5.1.0-4.1.noarch
>>
>> It seems it installed django-1.11.18-1 when I ran the packetfence-pki
>> install I will try to update.
>>
>> On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Cory,
>>>
>>> can you do rpm -qa|grep django
>>>
>>>
>>> in ref what i have on my side:
>>>
>>> django-countries-5.0-4.1.noarch
>>> python-django-rest-framework-3.1.1-16.1.noarch
>>> python-django-tagging-0.3.6-5.1.noarch
>>> python-django-bash-completion-1.8.1-3.1.noarch
>>> python2-django-formtools-1.0-4.1.noarch
>>> python-django-1.8.1-3.1.noarch
>>> python-django-bootstrap3-5.1.0-4.1.noarch
>>>
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>> Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users a écrit :
>>>
>>> Hello,
>>>
>>> Are the packetfence-pki instructions at
>>> https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
>>>  outdated?
>>>
>>> Under step 3.1.6. does not seem to work unless you remove the space
>>> after "-extra, "
>>> yum install packetfence-pki --enablerepo=packetfence-extra, packetfence
>>>
>>> After removing the space I can get it installed but then I get a host of
>>> errors trying to get to the GUI including 'Invalid HTTP_HOST header',
>>> 'ImportError: cannot import name lazy_property', and 'ImportError: cannot
>>> import name patterns'
>>>
>>> CentOS7, new installation of packetfence
>>>
>>> Thanks
>>>
>>> Message Sent from PCS GMail
>>>
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>> Message Sent from PCS GMail
>>
>>

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Rankin, Cory via PacketFence-users]

Fabrice,

I am able to get to the web GUI now after downgrading to
python-django-1.8.1-1.1.el7.noarch
manually. pki manual may need to be updated there and also to remove the
space after the comma in the pki install.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

Thank you for all your help
Cory


On Sat, Feb 9, 2019 at 8:41 PM Durand fabrice  wrote:

> Hello Cory,
>
> it's probably coming from epel, try to remove it, disable epel repo and
> retry, it should work.
>
> I will try to support django-1.11.
>
> Regards
>
> Fabrice
>
>
> Le 19-02-09 à 20 h 33, Rankin, Cory a écrit :
>
> Fabrice,
>
> Thank you for your reply.
>
> django-countries-5.0-4.1.noarch
> python-django-rest-framework-3.1.1-16.1.noarch
> python-django-tagging-0.3.6-5.1.noarch
> python-django-bash-completion-1.11.18-1.el7.noarch
> python2-django-formtools-1.0-4.1.noarch
> python2-django-1.11.18-1.el7.noarch
> python-django-bootstrap3-5.1.0-4.1.noarch
>
> It seems it installed django-1.11.18-1 when I ran the packetfence-pki
> install I will try to update.
>
> On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Cory,
>>
>> can you do rpm -qa|grep django
>>
>>
>> in ref what i have on my side:
>>
>> django-countries-5.0-4.1.noarch
>> python-django-rest-framework-3.1.1-16.1.noarch
>> python-django-tagging-0.3.6-5.1.noarch
>> python-django-bash-completion-1.8.1-3.1.noarch
>> python2-django-formtools-1.0-4.1.noarch
>> python-django-1.8.1-3.1.noarch
>> python-django-bootstrap3-5.1.0-4.1.noarch
>>
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users a écrit :
>>
>> Hello,
>>
>> Are the packetfence-pki instructions at
>> https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
>>  outdated?
>>
>> Under step 3.1.6. does not seem to work unless you remove the space after
>> "-extra, "
>> yum install packetfence-pki --enablerepo=packetfence-extra, packetfence
>>
>> After removing the space I can get it installed but then I get a host of
>> errors trying to get to the GUI including 'Invalid HTTP_HOST header',
>> 'ImportError: cannot import name lazy_property', and 'ImportError: cannot
>> import name patterns'
>>
>> CentOS7, new installation of packetfence
>>
>> Thanks
>>
>> Message Sent from PCS GMail
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
> Message Sent from PCS GMail
>
>

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Rankin, Cory via PacketFence-users]

Fabrice,

Thank you for your reply.

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.11.18-1.el7.noarch
python2-django-formtools-1.0-4.1.noarch
python2-django-1.11.18-1.el7.noarch
python-django-bootstrap3-5.1.0-4.1.noarch

It seems it installed django-1.11.18-1 when I ran the packetfence-pki
install I will try to update.

On Fri, Feb 8, 2019 at 8:33 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Cory,
>
> can you do rpm -qa|grep django
>
>
> in ref what i have on my side:
>
> django-countries-5.0-4.1.noarch
> python-django-rest-framework-3.1.1-16.1.noarch
> python-django-tagging-0.3.6-5.1.noarch
> python-django-bash-completion-1.8.1-3.1.noarch
> python2-django-formtools-1.0-4.1.noarch
> python-django-1.8.1-3.1.noarch
> python-django-bootstrap3-5.1.0-4.1.noarch
>
>
> Regards
>
> Fabrice
>
>
> Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users a écrit :
>
> Hello,
>
> Are the packetfence-pki instructions at
> https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
>  outdated?
>
> Under step 3.1.6. does not seem to work unless you remove the space after
> "-extra, "
> yum install packetfence-pki --enablerepo=packetfence-extra, packetfence
>
> After removing the space I can get it installed but then I get a host of
> errors trying to get to the GUI including 'Invalid HTTP_HOST header',
> 'ImportError: cannot import name lazy_property', and 'ImportError: cannot
> import name patterns'
>
> CentOS7, new installation of packetfence
>
> Thanks
>
> Message Sent from PCS GMail
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki

[Durand fabrice via PacketFence-users]

Hello Cory,

can you do rpm -qa|grep django


in ref what i have on my side:

django-countries-5.0-4.1.noarch
python-django-rest-framework-3.1.1-16.1.noarch
python-django-tagging-0.3.6-5.1.noarch
python-django-bash-completion-1.8.1-3.1.noarch
python2-django-formtools-1.0-4.1.noarch
python-django-1.8.1-3.1.noarch
python-django-bootstrap3-5.1.0-4.1.noarch


Regards

Fabrice


Le 19-02-08 à 19 h 45, Rankin, Cory via PacketFence-users a écrit :

Hello,

Are the packetfence-pki instructions at 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html outdated? 



Under step 3.1.6. does not seem to work unless you remove the space 
after "-extra, "

yum install packetfence-pki --enablerepo=packetfence-extra, packetfence

After removing the space I can get it installed but then I get a host 
of errors trying to get to the GUI including 'Invalid HTTP_HOST 
header', 'ImportError: cannot import name lazy_property', and 
'ImportError: cannot import name patterns'


CentOS7, new installation of packetfence

Thanks

Message Sent from PCS GMail


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence-pki

[Rankin, Cory via PacketFence-users]

Hello,

Are the packetfence-pki instructions at
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
 outdated?

Under step 3.1.6. does not seem to work unless you remove the space after
"-extra, "
yum install packetfence-pki --enablerepo=packetfence-extra, packetfence

After removing the space I can get it installed but then I get a host of
errors trying to get to the GUI including 'Invalid HTTP_HOST header',
'ImportError: cannot import name lazy_property', and 'ImportError: cannot
import name patterns'

CentOS7, new installation of packetfence

Thanks

-- 
Message Sent from PCS GMail

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-pki restore/ovewrite admin password

[Fabrice Durand via PacketFence-users]

Hello,

what you can do is to connect in the sqlite db and update the password.

sqlite3 db.sqlite3

UPDATE "auth_user" set
password='pbkdf2_sha256$2$Z2Lhr1cW8QM0$mN9PtNhxneIDzApqFa4uG8V44IXqHe+r7yootSoSzJQ='
where username='admin';

the password is p@ck3tf3nc3


Regards

Fabrice



Le 2018-01-03 à 10:12, Rokkhan via PacketFence-users a écrit :
> Hi,
>
> I am unable to login to packetfence-pki web interface with the admin
> password neither with another user I created after installation.
>
> Is there anyway to restore or overwirte the admin password? 
>
> I am using Packetfence-pki 1.0.5 in centos 7
>
> Greetings
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-pki restore/ovewrite admin password

[Rokkhan via PacketFence-users]

Hi,

I am unable to login to packetfence-pki web interface with the admin
password neither with another user I created after installation.

Is there anyway to restore or overwirte the admin password?

I am using Packetfence-pki 1.0.5 in centos 7

Greetings
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Jason Sloan via PacketFence-users]

Cool, I was wondering if you could type cast in python and if that would
fix it. I also see you added SHA256 for the CA digest. Thanks!

On Wed, Nov 15, 2017 at 9:22 AM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Ok so here the patch https://github.com/inverse-
> inc/packetfence-pki/commit/c66ef2ab34964caecda3d2cdff1c956656227ffc.diff
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-15 à 08:56, Fabrice Durand via PacketFence-users a écrit :
>
> Ok i am able to replicate it, let me fix it and i will give you a patch.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 22:41, Jason Sloan a écrit :
>
> Sorry, I should have included the values.
> I wasn't sure if the values should be comma delimited or not. I tried both
> comma and space delimited.
>
> KU:
> digitalSignature, keyCertSign, cRLSign
>
> EKU:
> serverAuth
>
> pyOpenSSL version:
> pyOpenSSL-17.2.0-9.1.noarch
>
> On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Jason,
>>
>> i did a try and i am not able to reproduce the error.
>>
>> So it can be an issue with the keyUsage value or an issue with pyopenssl.
>>
>> What did you define for keyUsage and can you give me the version of
>> pyopenssl you use ?
>>
>> rpm -qa|grep -i openssl
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>>
>> Error:
>> Environment:
>>
>> Centos 7 - Clean Install
>>
>> Steps to reproduce:
>> Install Packetfence-PKI
>> Browse to PKI Admin site & login.
>> Complete all 4 steps of initial setup wizard & Submit
>>
>> Error condition occurs.
>>
>> Looks like a bad variable type, probably also related to the newer django
>> version?
>>
>>
>>
>>
>>
>> Error details:
>>
>> Request Method: POST
>> Request URL: https://localhost:9393/pki/init_wizard/
>>
>> Django Version: 1.8.1
>> Python Version: 2.7.5
>> Installed Applications:
>> ('django.contrib.admin',
>>  'django.contrib.auth',
>>  'django.contrib.contenttypes',
>>  'django.contrib.sessions',
>>  'django.contrib.messages',
>>  'django.contrib.staticfiles',
>>  'rest_framework',
>>  'rest_framework.authtoken',
>>  'bootstrap3',
>>  'pki')
>> Installed Middleware:
>> ('django.contrib.sessions.middleware.SessionMiddleware',
>>  'django.middleware.common.CommonMiddleware',
>>  'django.middleware.csrf.CsrfViewMiddleware',
>>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>>  'django.contrib.messages.middleware.MessageMiddleware',
>>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>  'inverse.middleware.SecurityMiddleware')
>>
>>
>> Traceback:
>> File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" in
>> get_response
>>   132. response = wrapped_callback(request,
>> *callback_args, **callback_kwargs)
>> File "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
>> in _wrapped_view
>>   22. return view_func(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
>> view
>>   71. return self.dispatch(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
>> dispatch
>>   237. response = super(WizardView, self).dispatch(request,
>> *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
>> dispatch
>>   89. return handler(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
>>   300. return self.render_done(form, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
>> render_done
>>   357.   **kwargs)
>> File "/usr/local/packetfence-pki/pki/views.py" in done
>>   539. certif.sign()
>> File "/usr/local/packetfence-pki/pki/models.py" in sign
>>   61. cert.add_extensions([crypto.X509Extension("keyUsage",
>> True,self.key_usage)])
>> File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
>>   723. extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx,
>> type_name, value)
>>
>> Exception Type: TypeError at /pki/init_wizard/
>> Exception Value: initializer for ctype 'char *' must be a str or list or
>> tuple, not unicode
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> 

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Fabrice Durand via PacketFence-users]

Ok so here the patch
https://github.com/inverse-inc/packetfence-pki/commit/c66ef2ab34964caecda3d2cdff1c956656227ffc.diff

Regards

Fabrice



Le 2017-11-15 à 08:56, Fabrice Durand via PacketFence-users a écrit :
>
> Ok i am able to replicate it, let me fix it and i will give you a patch.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 22:41, Jason Sloan a écrit :
>> Sorry, I should have included the values.
>> I wasn't sure if the values should be comma delimited or not. I tried
>> both comma and space delimited.
>>
>> KU:
>> digitalSignature, keyCertSign, cRLSign
>>
>> EKU:
>> serverAuth
>>
>> pyOpenSSL version:
>> pyOpenSSL-17.2.0-9.1.noarch
>>
>> On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users
>> > > wrote:
>>
>> Hello Jason,
>>
>> i did a try and i am not able to reproduce the error.
>>
>> So it can be an issue with the keyUsage value or an issue with
>> pyopenssl.
>>
>> What did you define for keyUsage and can you give me the version
>> of pyopenssl you use ?
>>
>> rpm -qa|grep -i openssl
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>>> Error:
>>> Environment:
>>>
>>> Centos 7 - Clean Install
>>>
>>> Steps to reproduce:
>>> Install Packetfence-PKI
>>> Browse to PKI Admin site & login.
>>> Complete all 4 steps of initial setup wizard & Submit
>>>
>>> Error condition occurs.
>>>
>>> Looks like a bad variable type, probably also related to the
>>> newer django version?
>>>
>>>
>>>
>>>
>>>
>>> Error details:
>>>
>>> Request Method: POST
>>> Request URL: https://localhost:9393/pki/init_wizard/
>>> 
>>>
>>> Django Version: 1.8.1
>>> Python Version: 2.7.5
>>> Installed Applications:
>>> ('django.contrib.admin',
>>>  'django.contrib.auth',
>>>  'django.contrib.contenttypes',
>>>  'django.contrib.sessions',
>>>  'django.contrib.messages',
>>>  'django.contrib.staticfiles',
>>>  'rest_framework',
>>>  'rest_framework.authtoken',
>>>  'bootstrap3',
>>>  'pki')
>>> Installed Middleware:
>>> ('django.contrib.sessions.middleware.SessionMiddleware',
>>>  'django.middleware.common.CommonMiddleware',
>>>  'django.middleware.csrf.CsrfViewMiddleware',
>>>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>>>  'django.contrib.messages.middleware.MessageMiddleware',
>>>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>>  'inverse.middleware.SecurityMiddleware')
>>>
>>>
>>> Traceback:
>>> File
>>> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py"
>>> in get_response
>>>   132.                     response = wrapped_callback(request,
>>> *callback_args, **callback_kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
>>> in _wrapped_view
>>>   22.                 return view_func(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>>> in view
>>>   71.             return self.dispatch(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
>>> dispatch
>>>   237.         response = super(WizardView,
>>> self).dispatch(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>>> in dispatch
>>>   89.         return handler(request, *args, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
>>>   300.                 return self.render_done(form, **kwargs)
>>> File
>>> "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
>>> render_done
>>>   357.                                   **kwargs)
>>> File "/usr/local/packetfence-pki/pki/views.py" in done
>>>   539.             certif.sign()
>>> File "/usr/local/packetfence-pki/pki/models.py" in sign
>>>   61.           
>>>  cert.add_extensions([crypto.X509Extension("keyUsage",
>>> True,self.key_usage)])
>>> File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in
>>> __init__
>>>   723.         extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx,
>>> type_name, value)
>>>
>>> Exception Type: TypeError at /pki/init_wizard/
>>> Exception Value: initializer for ctype 'char *' must be a str or
>>> list or tuple, not unicode
>>>
>>>
>>>
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> ___
>>> PacketFence-users mailing list

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Jason Sloan via PacketFence-users]

Sorry, I should have included the values.
I wasn't sure if the values should be comma delimited or not. I tried both
comma and space delimited.

KU:
digitalSignature, keyCertSign, cRLSign

EKU:
serverAuth

pyOpenSSL version:
pyOpenSSL-17.2.0-9.1.noarch

On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Jason,
>
> i did a try and i am not able to reproduce the error.
>
> So it can be an issue with the keyUsage value or an issue with pyopenssl.
>
> What did you define for keyUsage and can you give me the version of
> pyopenssl you use ?
>
> rpm -qa|grep -i openssl
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>
> Error:
> Environment:
>
> Centos 7 - Clean Install
>
> Steps to reproduce:
> Install Packetfence-PKI
> Browse to PKI Admin site & login.
> Complete all 4 steps of initial setup wizard & Submit
>
> Error condition occurs.
>
> Looks like a bad variable type, probably also related to the newer django
> version?
>
>
>
>
>
> Error details:
>
> Request Method: POST
> Request URL: https://localhost:9393/pki/init_wizard/
>
> Django Version: 1.8.1
> Python Version: 2.7.5
> Installed Applications:
> ('django.contrib.admin',
>  'django.contrib.auth',
>  'django.contrib.contenttypes',
>  'django.contrib.sessions',
>  'django.contrib.messages',
>  'django.contrib.staticfiles',
>  'rest_framework',
>  'rest_framework.authtoken',
>  'bootstrap3',
>  'pki')
> Installed Middleware:
> ('django.contrib.sessions.middleware.SessionMiddleware',
>  'django.middleware.common.CommonMiddleware',
>  'django.middleware.csrf.CsrfViewMiddleware',
>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>  'django.contrib.messages.middleware.MessageMiddleware',
>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>  'inverse.middleware.SecurityMiddleware')
>
>
> Traceback:
> File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" in
> get_response
>   132. response = wrapped_callback(request,
> *callback_args, **callback_kwargs)
> File "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
> in _wrapped_view
>   22. return view_func(request, *args, **kwargs)
> File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
> view
>   71. return self.dispatch(request, *args, **kwargs)
> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
> dispatch
>   237. response = super(WizardView, self).dispatch(request, *args,
> **kwargs)
> File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
> dispatch
>   89. return handler(request, *args, **kwargs)
> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
>   300. return self.render_done(form, **kwargs)
> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
> render_done
>   357.   **kwargs)
> File "/usr/local/packetfence-pki/pki/views.py" in done
>   539. certif.sign()
> File "/usr/local/packetfence-pki/pki/models.py" in sign
>   61. cert.add_extensions([crypto.X509Extension("keyUsage",
> True,self.key_usage)])
> File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
>   723. extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx,
> type_name, value)
>
> Exception Type: TypeError at /pki/init_wizard/
> Exception Value: initializer for ctype 'char *' must be a str or list or
> tuple, not unicode
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Fabrice Durand via PacketFence-users]

Ok i am able to replicate it, let me fix it and i will give you a patch.

Regards

Fabrice



Le 2017-11-14 à 22:41, Jason Sloan a écrit :
> Sorry, I should have included the values.
> I wasn't sure if the values should be comma delimited or not. I tried
> both comma and space delimited.
>
> KU:
> digitalSignature, keyCertSign, cRLSign
>
> EKU:
> serverAuth
>
> pyOpenSSL version:
> pyOpenSSL-17.2.0-9.1.noarch
>
> On Tue, Nov 14, 2017 at 6:32 PM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Jason,
>
> i did a try and i am not able to reproduce the error.
>
> So it can be an issue with the keyUsage value or an issue with
> pyopenssl.
>
> What did you define for keyUsage and can you give me the version
> of pyopenssl you use ?
>
> rpm -qa|grep -i openssl
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :
>> Error:
>> Environment:
>>
>> Centos 7 - Clean Install
>>
>> Steps to reproduce:
>> Install Packetfence-PKI
>> Browse to PKI Admin site & login.
>> Complete all 4 steps of initial setup wizard & Submit
>>
>> Error condition occurs.
>>
>> Looks like a bad variable type, probably also related to the
>> newer django version?
>>
>>
>>
>>
>>
>> Error details:
>>
>> Request Method: POST
>> Request URL: https://localhost:9393/pki/init_wizard/
>> 
>>
>> Django Version: 1.8.1
>> Python Version: 2.7.5
>> Installed Applications:
>> ('django.contrib.admin',
>>  'django.contrib.auth',
>>  'django.contrib.contenttypes',
>>  'django.contrib.sessions',
>>  'django.contrib.messages',
>>  'django.contrib.staticfiles',
>>  'rest_framework',
>>  'rest_framework.authtoken',
>>  'bootstrap3',
>>  'pki')
>> Installed Middleware:
>> ('django.contrib.sessions.middleware.SessionMiddleware',
>>  'django.middleware.common.CommonMiddleware',
>>  'django.middleware.csrf.CsrfViewMiddleware',
>>  'django.contrib.auth.middleware.AuthenticationMiddleware',
>>  'django.contrib.messages.middleware.MessageMiddleware',
>>  'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>  'inverse.middleware.SecurityMiddleware')
>>
>>
>> Traceback:
>> File
>> "/usr/lib/python2.7/site-packages/django/core/handlers/base.py"
>> in get_response
>>   132.                     response = wrapped_callback(request,
>> *callback_args, **callback_kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
>> in _wrapped_view
>>   22.                 return view_func(request, *args, **kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>> in view
>>   71.             return self.dispatch(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in dispatch
>>   237.         response = super(WizardView,
>> self).dispatch(request, *args, **kwargs)
>> File
>> "/usr/lib/python2.7/site-packages/django/views/generic/base.py"
>> in dispatch
>>   89.         return handler(request, *args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in post
>>   300.                 return self.render_done(form, **kwargs)
>> File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py"
>> in render_done
>>   357.                                   **kwargs)
>> File "/usr/local/packetfence-pki/pki/views.py" in done
>>   539.             certif.sign()
>> File "/usr/local/packetfence-pki/pki/models.py" in sign
>>   61.           
>>  cert.add_extensions([crypto.X509Extension("keyUsage",
>> True,self.key_usage)])
>> File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
>>   723.         extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx,
>> type_name, value)
>>
>> Exception Type: TypeError at /pki/init_wizard/
>> Exception Value: initializer for ctype 'char *' must be a str or
>> list or tuple, not unicode
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
>
> 
> --
> Check out the vibrant tech community on one 

Re: [PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Durand fabrice via PacketFence-users]

Hello Jason,

i did a try and i am not able to reproduce the error.

So it can be an issue with the keyUsage value or an issue with pyopenssl.

What did you define for keyUsage and can you give me the version of 
pyopenssl you use ?


rpm -qa|grep -i openssl

Regards

Fabrice



Le 2017-11-14 à 16:14, Jason Sloan via PacketFence-users a écrit :

Error:
Environment:

Centos 7 - Clean Install

Steps to reproduce:
Install Packetfence-PKI
Browse to PKI Admin site & login.
Complete all 4 steps of initial setup wizard & Submit

Error condition occurs.

Looks like a bad variable type, probably also related to the newer 
django version?






Error details:

Request Method: POST
Request URL: https://localhost:9393/pki/init_wizard/

Django Version: 1.8.1
Python Version: 2.7.5
Installed Applications:
('django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'rest_framework.authtoken',
 'bootstrap3',
 'pki')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'inverse.middleware.SecurityMiddleware')


Traceback:
File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" 
in get_response
  132.                     response = wrapped_callback(request, 
*callback_args, **callback_kwargs)
File 
"/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py" 
in _wrapped_view

  22.                 return view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" 
in view

  71.             return self.dispatch(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in 
dispatch
  237.         response = super(WizardView, self).dispatch(request, 
*args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" 
in dispatch

  89.         return handler(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
  300.                 return self.render_done(form, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in 
render_done

  357.                                   **kwargs)
File "/usr/local/packetfence-pki/pki/views.py" in done
  539.             certif.sign()
File "/usr/local/packetfence-pki/pki/models.py" in sign
  61.  cert.add_extensions([crypto.X509Extension("keyUsage", 
True,self.key_usage)])

File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
  723.         extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, 
type_name, value)


Exception Type: TypeError at /pki/init_wizard/
Exception Value: initializer for ctype 'char *' must be a str or list 
or tuple, not unicode




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-PKI / Setup Wizard Error

[Jason Sloan via PacketFence-users]

Error:
Environment:

Centos 7 - Clean Install

Steps to reproduce:
Install Packetfence-PKI
Browse to PKI Admin site & login.
Complete all 4 steps of initial setup wizard & Submit

Error condition occurs.

Looks like a bad variable type, probably also related to the newer django
version?





Error details:

Request Method: POST
Request URL: https://localhost:9393/pki/init_wizard/

Django Version: 1.8.1
Python Version: 2.7.5
Installed Applications:
('django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'rest_framework.authtoken',
 'bootstrap3',
 'pki')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'inverse.middleware.SecurityMiddleware')


Traceback:
File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py" in
get_response
  132. response = wrapped_callback(request,
*callback_args, **callback_kwargs)
File "/usr/lib/python2.7/site-packages/django/contrib/auth/decorators.py"
in _wrapped_view
  22. return view_func(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in view
  71. return self.dispatch(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
dispatch
  237. response = super(WizardView, self).dispatch(request, *args,
**kwargs)
File "/usr/lib/python2.7/site-packages/django/views/generic/base.py" in
dispatch
  89. return handler(request, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in post
  300. return self.render_done(form, **kwargs)
File "/usr/lib/python2.7/site-packages/formtools/wizard/views.py" in
render_done
  357.   **kwargs)
File "/usr/local/packetfence-pki/pki/views.py" in done
  539. certif.sign()
File "/usr/local/packetfence-pki/pki/models.py" in sign
  61. cert.add_extensions([crypto.X509Extension("keyUsage",
True,self.key_usage)])
File "/usr/lib/python2.7/site-packages/OpenSSL/crypto.py" in __init__
  723. extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name,
value)

Exception Type: TypeError at /pki/init_wizard/
Exception Value: initializer for ctype 'char *' must be a str or list or
tuple, not unicode
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence PKI

[Akala Kehinde via PacketFence-users]

Hi Max,

Yea, I tested it and works fine. You can follow the steps in the PF PKI
guide.

Regards,
Kehinde

On Fri, Aug 18, 2017 at 6:02 PM, Max McGrath via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Is anybody currently using PacketFence's PKI?
>
> I'm curious how well it works and what the work flow for the end user
> looks like.
>
> Thanks!
>
> Max
> --
> Max McGrath  
> Network Administrator
> Carthage College
> 262-551- <(262)%20551->
> mmcgr...@carthage.edu
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence PKI

[Max McGrath via PacketFence-users]

Is anybody currently using PacketFence's PKI?

I'm curious how well it works and what the work flow for the end user looks
like.

Thanks!

Max
--
Max McGrath  
Network Administrator
Carthage College
262-551-
mmcgr...@carthage.edu
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-pki IOS provisiones error

[Rokkhan via PacketFence-users]

Hi,

I am trying to generate certificate for IOs devices but I am unable to
install the on IOs devices. I see in the documentation that I need a
certificate signed by a know Certificate Authority and I have a certificate
that I am using on web servers signed by godaddy but I think that i am
doing something wrong because I get an error.
I also tried to install the certificate sending it by email through
packetfence-pki but I get a "profile error" when I try to install p12
certificate sent by email on my IOs device.

I am using a Centos 6 and PF 6.5.1 server.

Greetings!
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[mj via PacketFence-users]

On 06/22/2017 05:06 PM, David Harvey via PacketFence-users wrote:

Hi packetfence users,

I've been attmepting to experiment with packetfence-pki, but have fallen 
at the first hurdle. Namely there doesn't seem to be a Debian Jessie 
package avialable as advertised at 


Ah sorry: packetfence-pki... Don't know about that one...

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[mj via PacketFence-users]

Hi,

Are you following this: 
https://packetfence.org/support/faq/article/how-to-install-packetfence-on-debian.html


Or are you somehow trying to install things manually..?

(the apt way with the inverse repo worked very well for me on jessie, 
tried last week)


Hope that helps,
MJ

On 06/22/2017 05:06 PM, David Harvey via PacketFence-users wrote:

Hi packetfence users,

I've been attmepting to experiment with packetfence-pki, but have fallen 
at the first hurdle. Namely there doesn't seem to be a Debian Jessie 
package avialable as advertised at 
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html 
(section 3.1)

http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/

I attempted to install the generic deb, but predictably it wouldn't 
accept the pip installed version of django-bootstrap3 as apt doesn't 
know about "python-django-bootstrap3".


Attempted to install from source 
 which looked promising 
until there was no service file that came with make install, so using an 
init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin 
unknown I managed to get to complaints over
/usr/local/packetfence-pki/conf/server.crt 
and /usr/local/packetfence-pki/conf/server.key. I dutifully copied the 
packetfence ones, and although the service starts, I get a bad request 
400 error when visiting https://server:9393.


Now I understand I've mangled the instructions massively, so is there
a) A correct way to do this on Jessie any more?
b) A way of breathing life into my Frankenstein's monster?

Thanks in advance,

David


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

I feel like there are clues here which almost have me there:

[wsgi:warn] [pid 31927] mod_wsgi: Compiled for Python/2.7.8.
[Thu Jun 22 16:32:35.008061 2017] [wsgi:warn] [pid 31927] mod_wsgi: Runtime
using Python/2.7.9.
[Thu Jun 22 16:32:35.008275 2017] [wsgi:alert] [pid 31927] (2)No such file
or directory: mod_wsgi (pid=31927): Couldn't bind unix domain socket
'/var/run/apache2/wsgi.31927.0.1.sock'.
[Thu Jun 22 16:32:35.009096 2017] [mpm_prefork:notice] [pid 31927] AH00163:
Apache/2.4.10 (Debian) OpenSSL/1.0.2k mod_wsgi/4.3.0 Python/2.7.9
configured -- resuming normal operations
[Thu Jun 22 16:32:35.009109 2017] [core:notice] [pid 31927] AH00094:
Command line: '/usr/sbin/apache2 -f
/usr/local/packetfence-pki/conf/httpd.conf'

And indeed there is no /var/run/apache2/wsgi.31927.0.1.sock

On Thu, Jun 22, 2017 at 4:17 PM, David Harvey 
wrote:

> FWIW, I also get the same bad request error after forcing apt with:
> dpkg -i --ignore-depends=python-django-bootstrap3
> packetfence-pki_1.0.4_all.deb
>
> On Thu, Jun 22, 2017 at 4:06 PM, David Harvey 
> wrote:
>
>> Hi packetfence users,
>>
>> I've been attmepting to experiment with packetfence-pki, but have fallen
>> at the first hurdle. Namely there doesn't seem to be a Debian Jessie
>> package avialable as advertised at https://packetfence.org/doc
>> /PacketFence_PKI_Quick_Install_Guide.html (section 3.1)
>> http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/
>>
>> I attempted to install the generic deb, but predictably it wouldn't
>> accept the pip installed version of django-bootstrap3 as apt doesn't know
>> about "python-django-bootstrap3".
>>
>> Attempted to install from source
>>  which looked promising
>> until there was no service file that came with make install, so using an
>> init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
>> unknown I managed to get to complaints over
>> /usr/local/packetfence-pki/conf/server.crt and 
>> /usr/local/packetfence-pki/conf/server.key.
>> I dutifully copied the packetfence ones, and although the service starts, I
>> get a bad request 400 error when visiting https://server:9393.
>>
>> Now I understand I've mangled the instructions massively, so is there
>> a) A correct way to do this on Jessie any more?
>> b) A way of breathing life into my Frankenstein's monster?
>>
>> Thanks in advance,
>>
>> David
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

Hi packetfence users,

I've been attmepting to experiment with packetfence-pki, but have fallen at
the first hurdle. Namely there doesn't seem to be a Debian Jessie package
avialable as advertised at
https://packetfence.org/doc/PacketFence_PKI_Quick_Install_Guide.html
(section 3.1)
http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/

I attempted to install the generic deb, but predictably it wouldn't accept
the pip installed version of django-bootstrap3 as apt doesn't know about
"python-django-bootstrap3".

Attempted to install from source
 which looked promising
until there was no service file that came with make install, so using an
init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
unknown I managed to get to complaints over
/usr/local/packetfence-pki/conf/server.crt
and /usr/local/packetfence-pki/conf/server.key. I dutifully copied the
packetfence ones, and although the service starts, I get a bad request 400
error when visiting https://server:9393.

Now I understand I've mangled the instructions massively, so is there
a) A correct way to do this on Jessie any more?
b) A way of breathing life into my Frankenstein's monster?

Thanks in advance,

David
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki on Debian Jessie

[David Harvey via PacketFence-users]

FWIW, I also get the same bad request error after forcing apt with:
dpkg -i --ignore-depends=python-django-bootstrap3
packetfence-pki_1.0.4_all.deb

On Thu, Jun 22, 2017 at 4:06 PM, David Harvey 
wrote:

> Hi packetfence users,
>
> I've been attmepting to experiment with packetfence-pki, but have fallen
> at the first hurdle. Namely there doesn't seem to be a Debian Jessie
> package avialable as advertised at https://packetfence.org/
> doc/PacketFence_PKI_Quick_Install_Guide.html (section 3.1)
> http://inverse.ca/downloads/PacketFence/debian/pool/jessie/p/
>
> I attempted to install the generic deb, but predictably it wouldn't accept
> the pip installed version of django-bootstrap3 as apt doesn't know about
> "python-django-bootstrap3".
>
> Attempted to install from source
>  which looked promising
> until there was no service file that came with make install, so using an
> init.d script (/etc/init.d/packetfence-pki.dpkg-new) admittedly origin
> unknown I managed to get to complaints over
> /usr/local/packetfence-pki/conf/server.crt and 
> /usr/local/packetfence-pki/conf/server.key.
> I dutifully copied the packetfence ones, and although the service starts, I
> get a bad request 400 error when visiting https://server:9393.
>
> Now I understand I've mangled the instructions massively, so is there
> a) A correct way to do this on Jessie any more?
> b) A way of breathing life into my Frankenstein's monster?
>
> Thanks in advance,
>
> David
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] packetfence-pki EAP-tls users and certificate management

[Durand fabrice via PacketFence-users]

Hello Rokkhan,

i need to check in the code why you have this error when the certificate 
already exist.


Also the port for ocsp is 9292.

Last thing, to have online/offline status you need to have the radius 
accounting enable.


Regards

Fabrice



Le 2017-06-19 à 14:30, Rokkhan via PacketFence-users a écrit :

Hi,

I am trying to configure a wireless network using pakcetfence-pki and 
user certificates.


I have configured a role limited to 3 devices per user and configured 
packetfence-pki to generate user certifcates using ldap's user id 
instead of device mac adress.


The issue is that when the user generates the certificate for the 
first device I get an error generating certificate that I think is 
related to that an user certifcate previously exists, because if i 
remove the previously generated certificate i do not get any error.


what am i doing wrong? How can i apply the 3 device limit per user 
using eap-tls?


When I connect to SSID using the generated certificate user is marked 
as login ok through radius but I get ocsp error. What port do  have to 
configure in eap.conf module? 9191 9292 or 9393 ?


Once the users are logged in the eap-tls ssid through radius server 
the packfence server does not show status of the device. I mean, if i 
filter to "online nodes" this devices are not shown.


Greetings.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] packetfence-pki EAP-tls users and certificate management

[Rokkhan via PacketFence-users]

Hi,

I am trying to configure a wireless network using pakcetfence-pki and user
certificates.

I have configured a role limited to 3 devices per user and configured
packetfence-pki to generate user certifcates using ldap's user id instead
of device mac adress.

The issue is that when the user generates the certificate for the first
device I get an error generating certificate that I think is related to
that an user certifcate previously exists, because if i remove the
previously generated certificate i do not get any error.

what am i doing wrong? How can i apply the 3 device limit per user using
eap-tls?

When I connect to SSID using the generated certificate user is marked as
login ok through radius but I get ocsp error. What port do  have to
configure in eap.conf module? 9191 9292 or 9393 ?

Once the users are logged in the eap-tls ssid through radius server the
packfence server does not show status of the device. I mean, if i filter to
"online nodes" this devices are not shown.

Greetings.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence PKI

[Morgan, Darren]

Hi Antonie,
That's sorted it - Many thanks!
Regards
Darren

From: Antoine Amacher [mailto:aamac...@inverse.ca]
Sent: 25 November 2016 17:56
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PacketFence PKI


Morgan,

can you try to remove the sapce after the coma in the ennablerepo option?

yum install packetfence-pki --enablerepo=packetfence,packetfence-extra

Let us know if that works.

I installed the PKI on a fresh centos6 install without any issue.

thanks

On 11/25/2016 12:13 PM, Morgan, Darren wrote:
Hi Antonie,

Details below;

[root@localhost ~]# rpm -qa | grep django
python-django-1.6.11-10.3.noarch
python-django-bash-completion-1.6.11-10.3.noarch
python-django-tagging-0.3.1-7.el6.noarch

Kind regards

Darren

From: Antoine Amacher [mailto:aamac...@inverse.ca]
Sent: 25 November 2016 16:55
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] PacketFence PKI


Hello Morgan,

Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate lines 
in the iptables.conf (I note that in the guide it says 9393 and 9292 so not 
sure if that is a typo on the iptables or the guide)

That should be 9393 and 9191, will be corrected.

The PacketFence PKI should still be supported and working.

It seems you have issue with django dependencies could you do "rpm -qa | grep 
django".

I will try to setup one PKI quick and let you know.

Thanks

On 11/25/2016 11:45 AM, Morgan, Darren wrote:
Hi,

I'm still having major issues getting the PKI to install using the instructions 
provided (PacketFence_PKI_Quick_Install_Guide.pdf )  I'm using a fresh install 
of PacketFence 6.4.0 ZEN running on VMWare VSphere 6 Hypervisor (Given it 24GB 
RAM, 4 virtual sockets, with 2 cores each, and 200GB drive)

I've set up the system to link with our AD and is registered in our Domain.  
Checked with a laptop plugged in to an HP Procurve 2520G-8-PoE switch and end 
users can connect fine.  Even have Firewall SSO setup with iBoss which works 
buaetifully)

The problem I have is when I go through the PKI install guide;

Prepare to install with PacketFence
Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate lines 
in the iptables.conf (I note that in the guide it says 9393 and 9292 so not 
sure if that is a typo on the iptables or the guide)
Restarted the iptables service

CentOS/RHEL
(Assuming I use the CentOS instructions as I'm using ZEN)
Tried the commands for this step and get the following errors;

[root@localhost ~]# yum localinstall 
http://inverse.ca/downloads/PacketFence/CentOS6/x86_64/RPMS/packetfence-release-1-2.centos6.noarch.rpm
Loaded plugins: fastestmirror
Setting up Local Package Process
packetfence-release-1-2.centos6.noarch.rpm  

  | 2.8 kB 00:00
Examining /var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: 
packetfence-release-1-2.centos6.noarch
/var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: does not 
update installed package.
Nothing to do
[root@localhost ~]# yum install packetfence-pki --enablerepo=packetfence-extra, 
packetfence
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.cov.ukservers.com
* extras: mirrors.ukfast.co.uk
* updates: mirror.cov.ukservers.com
base

  | 3.7 kB 00:00
base/primary_db 

  | 4.7 MB 00:01
extras  

  | 3.4 kB 00:00
extras/primary_db   

  |  37 kB 00:00
mariadb 

  | 2.9 kB 00:00
mariadb/primary_db  

  |  22 kB 00:00
p

Re: [PacketFence-users] PacketFence PKI

[Morgan, Darren]

Hi Antonie,

Details below;

[root@localhost ~]# rpm -qa | grep django
python-django-1.6.11-10.3.noarch
python-django-bash-completion-1.6.11-10.3.noarch
python-django-tagging-0.3.1-7.el6.noarch

Kind regards

Darren

From: Antoine Amacher [mailto:aamac...@inverse.ca]
Sent: 25 November 2016 16:55
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PacketFence PKI


Hello Morgan,

Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate lines 
in the iptables.conf (I note that in the guide it says 9393 and 9292 so not 
sure if that is a typo on the iptables or the guide)

That should be 9393 and 9191, will be corrected.

The PacketFence PKI should still be supported and working.

It seems you have issue with django dependencies could you do "rpm -qa | grep 
django".

I will try to setup one PKI quick and let you know.

Thanks

On 11/25/2016 11:45 AM, Morgan, Darren wrote:
Hi,

I'm still having major issues getting the PKI to install using the instructions 
provided (PacketFence_PKI_Quick_Install_Guide.pdf )  I'm using a fresh install 
of PacketFence 6.4.0 ZEN running on VMWare VSphere 6 Hypervisor (Given it 24GB 
RAM, 4 virtual sockets, with 2 cores each, and 200GB drive)

I've set up the system to link with our AD and is registered in our Domain.  
Checked with a laptop plugged in to an HP Procurve 2520G-8-PoE switch and end 
users can connect fine.  Even have Firewall SSO setup with iBoss which works 
buaetifully)

The problem I have is when I go through the PKI install guide;

Prepare to install with PacketFence
Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate lines 
in the iptables.conf (I note that in the guide it says 9393 and 9292 so not 
sure if that is a typo on the iptables or the guide)
Restarted the iptables service

CentOS/RHEL
(Assuming I use the CentOS instructions as I'm using ZEN)
Tried the commands for this step and get the following errors;

[root@localhost ~]# yum localinstall 
http://inverse.ca/downloads/PacketFence/CentOS6/x86_64/RPMS/packetfence-release-1-2.centos6.noarch.rpm
Loaded plugins: fastestmirror
Setting up Local Package Process
packetfence-release-1-2.centos6.noarch.rpm  

  | 2.8 kB 00:00
Examining /var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: 
packetfence-release-1-2.centos6.noarch
/var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: does not 
update installed package.
Nothing to do
[root@localhost ~]# yum install packetfence-pki --enablerepo=packetfence-extra, 
packetfence
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.cov.ukservers.com
* extras: mirrors.ukfast.co.uk
* updates: mirror.cov.ukservers.com
base

  | 3.7 kB 00:00
base/primary_db 

  | 4.7 MB 00:01
extras  

  | 3.4 kB 00:00
extras/primary_db   

  |  37 kB 00:00
mariadb 

  | 2.9 kB 00:00
mariadb/primary_db  

  |  22 kB 00:00
packetfence-extra   

  |  951 B 00:00
packetfence-extra/primary   

  |  74 kB 00:00
packetf

Re: [PacketFence-users] PacketFence PKI

[Antoine Amacher]

Hello Morgan,

Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate 
lines in the iptables.conf (I note that in the guide it says 9393 and 
9292 so not sure if that is a typo on the iptables or the guide)


That should be 9393 and 9191, will be corrected.

The PacketFence PKI should still be supported and working.

It seems you have issue with django dependencies could you do "rpm -qa | 
grep django".


I will try to setup one PKI quick and let you know.

Thanks


On 11/25/2016 11:45 AM, Morgan, Darren wrote:


Hi,

I’m still having major issues getting the PKI to install using the 
instructions provided (PacketFence_PKI_Quick_Install_Guide.pdf )  I’m 
using a fresh install of PacketFence 6.4.0 ZEN running on VMWare 
VSphere 6 Hypervisor (Given it 24GB RAM, 4 virtual sockets, with 2 
cores each, and 200GB drive)


I’ve set up the system to link with our AD and is registered in our 
Domain.  Checked with a laptop plugged in to an HP Procurve 
2520G-8-PoE switch and end users can connect fine.  Even have Firewall 
SSO setup with iBoss which works buaetifully)


The problem I have is when I go through the PKI install guide;

_Prepare to install with PacketFence_

Allowed traffic over ports 9393 and 9191 by uncommenting the 
appropriate lines in the iptables.conf (I note that in the guide it 
says 9393 and 9292 so not sure if that is a typo on the iptables or 
the guide)


Restarted the iptables service

_CentOS/RHEL_

(Assuming I use the CentOS instructions as I’m using ZEN)

Tried the commands for this step and get the following errors;

[root@localhost ~]# yum localinstall 
http://inverse.ca/downloads/PacketFence/CentOS6/x86_64/RPMS/packetfence-release-1-2.centos6.noarch.rpm


Loaded plugins: fastestmirror

Setting up Local Package Process

packetfence-release-1-2.centos6.noarch.rpm | 2.8 kB 00:00

Examining 
/var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: 
packetfence-release-1-2.centos6.noarch


/var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: 
does not update installed package.


Nothing to do

[root@localhost ~]# yum install packetfence-pki 
--enablerepo=packetfence-extra, packetfence


Loaded plugins: fastestmirror

Setting up Install Process

Loading mirror speeds from cached hostfile

* base: mirror.cov.ukservers.com

* extras: mirrors.ukfast.co.uk

* updates: mirror.cov.ukservers.com

base | 3.7 kB 00:00

base/primary_db | 4.7 MB 00:01

extras | 3.4 kB 00:00

extras/primary_db 
   | 
37 kB 00:00


mariadb 
| 
2.9 kB 00:00


mariadb/primary_db 
 | 
22 kB 00:00


packetfence-extra 
  | 
951 B 00:00


packetfence-extra/primary 
   | 
74 kB 00:00


packetfence-extra 
   255/255


updates  | 3.4 
kB 00:00


updates/primary_db   | 3.7 MB 00:01

Resolving Dependencies

--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-bootstrap3 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-rest-framework for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-ldap for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: django-countries for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Running transaction check

---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed

--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-bootstrap3 for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: python-django-rest-framework for package: 
packetfence-pki-1.0.4-1.el6.noarch


--> Processing Dependency: django-countries for package: 
packetfence-pki-1.0.4-1.el6.noarch


---> Package python-ldap.x86_64 0:2.3.10-1.el6 will be installed

--> Finished Dependency Resolution

Error: Package: packetfence-pki-1.0.4-1.el6.noarch 

[PacketFence-users] PacketFence PKI

[Morgan, Darren]

Hi,

I'm still having major issues getting the PKI to install using the instructions 
provided (PacketFence_PKI_Quick_Install_Guide.pdf )  I'm using a fresh install 
of PacketFence 6.4.0 ZEN running on VMWare VSphere 6 Hypervisor (Given it 24GB 
RAM, 4 virtual sockets, with 2 cores each, and 200GB drive)

I've set up the system to link with our AD and is registered in our Domain.  
Checked with a laptop plugged in to an HP Procurve 2520G-8-PoE switch and end 
users can connect fine.  Even have Firewall SSO setup with iBoss which works 
buaetifully)

The problem I have is when I go through the PKI install guide;

Prepare to install with PacketFence
Allowed traffic over ports 9393 and 9191 by uncommenting the appropriate lines 
in the iptables.conf (I note that in the guide it says 9393 and 9292 so not 
sure if that is a typo on the iptables or the guide)
Restarted the iptables service

CentOS/RHEL
(Assuming I use the CentOS instructions as I'm using ZEN)
Tried the commands for this step and get the following errors;

[root@localhost ~]# yum localinstall 
http://inverse.ca/downloads/PacketFence/CentOS6/x86_64/RPMS/packetfence-release-1-2.centos6.noarch.rpm
Loaded plugins: fastestmirror
Setting up Local Package Process
packetfence-release-1-2.centos6.noarch.rpm  

  | 2.8 kB 00:00
Examining /var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: 
packetfence-release-1-2.centos6.noarch
/var/tmp/yum-root-PnLIg2/packetfence-release-1-2.centos6.noarch.rpm: does not 
update installed package.
Nothing to do
[root@localhost ~]# yum install packetfence-pki --enablerepo=packetfence-extra, 
packetfence
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.cov.ukservers.com
* extras: mirrors.ukfast.co.uk
* updates: mirror.cov.ukservers.com
base

  | 3.7 kB 00:00
base/primary_db 

  | 4.7 MB 00:01
extras  

  | 3.4 kB 00:00
extras/primary_db   

  |  37 kB 00:00
mariadb 

  | 2.9 kB 00:00
mariadb/primary_db  

  |  22 kB 00:00
packetfence-extra   

  |  951 B 00:00
packetfence-extra/primary   

  |  74 kB 00:00
packetfence-extra   

 255/255
updates 

  | 3.4 kB 00:00
updates/primary_db  

  | 3.7 MB 00:01
Resolving Dependencies
--> Running transaction check
---> Package packetfence-pki.noarch 0:1.0.4-1.el6 will be installed
--> Processing Dependency: python-pyasn1-modules >= 0.1.7 for package: 
packetfence-pki-1.0.4-1.el6.noarch
--> Processing Dependency: python-django-bootstrap3 for package: 
packetfence-pki-1.0.4-1.el6.noarch
--> Processing Dependency: python-django-rest-framework for package: 

Re: [PacketFence-users] PacketFence PKI issue

[Jonathan Mahady]

Hi,

So I've finally got around to doing some further troubleshooting on this
connection issue via tracing on the windows machine. It appears that there
is something wrong with the server cert signature that the windows client
can't verify. I am getting this in the client TLS logs:

[960] 11-17 15:26:06:560: InitializeSecurityContext returned 0x80096004
[960] 11-17 15:26:06:560: Returning error -2146869244
[960] 11-17 15:26:06:560: State change to RecdFinished. Error: 0x80096004

The 80096004 means there is a server signature problem. I noticed that the
captive portal cert is also unverified even though ive installed the server
ca cert into the certificate store. It turns out the captive portal cert is
issued by the localhost interface (127.0.0.1). Is there anyway to verify
what server cert is being used by freeradius? Has anyone successfully
tested the packetfence PKI with window clients?

I'd appreciate any insights as I really like to get this functionality
working

Cheers,

Jonathan

On 10 November 2015 at 09:45, Jonathan Mahady 
wrote:

> Hi,
>
> I'm having an issue with the assignment of certificates using the
> packetfence PKI plugin. The plugin resides on the same box as Packetfence.
> The distro is Debian Wheezy and the version of packetfence is 5.4. I've
> configured the CA, the templates and a radius server cert. I've then added
> the PKI details into packetfence but when I try to onboard a test user the
> certificate assignment fails with the error that the certificate server
> cannot be reach. I've trolled through the logs and this is a section of the
> error its reporting:
>
> "
>   Error at /pki/cert/rest/get/denver/
>   [(asn1 encoding routines,
> a2d_ASN1_OBJECT, first num too large), (X509 V3
> routines, V2I_EXTENDED_KEY_USAGE, invalid object
> identifier), (X509 V3 routines, X509V3_EXT_nconf,
> error in extension)]
>   
>
> 
>   Request Method:
>   POST
> 
> 
>   Request URL:
>   https://127.0.0.1:9393/pki/cert/rest/get/denver/
> 
>
> 
>   Django Version:
>   1.7.1
> 
>
> 
>   Exception Type:
>   Error
> 
>
>
> 
>   Exception Value:
>   [(asn1 encoding routines,
> a2d_ASN1_OBJECT, first num too large), (X509 V3
> routines, V2I_EXTENDED_KEY_USAGE, invalid object
> identifier), (X509 V3 routines, X509V3_EXT_nconf,
> error in extension)]
> 
>
>
> 
>   Exception Location:
>   /usr/local/packetfence-pki/pki/models.py in sign, line 328
> 
>
> 
>   Python Executable:
>   /usr/bin/python
> 
> 
>   Python Version:
>   2.7.3
> 
> 
>   Python Path:
>   [/usr/lib/python2.7,
>  /usr/lib/python2.7/plat-linux2,
>  /usr/lib/python2.7/lib-tk,
>  /usr/lib/python2.7/lib-old,
>  /usr/lib/python2.7/lib-dynload,
>  /usr/local/lib/python2.7/dist-packages,
>  /usr/lib/python2.7/dist-packages,
>  /usr/lib/python2.7/dist-packages/PIL,
> "
>
> The cert does get generated as I can see it in the packetfence PKI gui but
> it doesn't get assigned to the user. I'm not sure what the issue is as I'm
> not great with this REST API/Python stuff. I would be extremely grateful
> for any advice or pointers.
>
> Cheers,
>
> Jonathan
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence PKI issue

[Jonathan Mahady]

Hi Fabrice,

It looks like I didn't join the mailing list correctly (which I joined
now), so I hope you get this response. Anyway thanks for your speedy reply,
you're correct, I'd a typo in the extended key usage key. I can't believe I
missed that. Anyway I can get through the agent process and it installs the
cert on a windows 7 machine but then I can't connect to the 802.1x wireless
network. From the radius debugging I enabled I think the client isn't
responding to the radius challenge and/or I havent added a source to valid
the user certificate. I may have missed a step somewhere. I am suppose to
configure the packetfence-pki as a source somehow? Below are a couple of
the debug messages I see
root@pf:/home/jonathan# rad_recv: Access-Request packet from host
192.168.10.2 port 53584, id=50, length=205
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b0164656e766572
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x9f539de6ac024e0335a4ee4df8aa
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0x9f539de6ac024e0335a4ee4df8aa
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 50 to 192.168.10.2 port 53584
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x76980f77769a16aac51eb549dc9b5fc2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=51,
length=218
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02020006030d
State = 0x76980f77769a16aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = 

Re: [PacketFence-users] PacketFence PKI issue

[Durand fabrice]

Hello Jonathan,

did you configured the certificate on the radius side ?
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_PKI_Quick_Install_Guide.asciidoc#step-3-configuring-packetfence
Do you have the CA pub key on the client side ?

Regards
Fabrice

Le 2015-11-11 03:21, Jonathan Mahady a écrit :

Hi Fabrice,

It looks like I didn't join the mailing list correctly (which I joined 
now), so I hope you get this response. Anyway thanks for your speedy 
reply, you're correct, I'd a typo in the extended key usage key. I 
can't believe I missed that. Anyway I can get through the agent 
process and it installs the cert on a windows 7 machine but then I 
can't connect to the 802.1x wireless network. From the radius 
debugging I enabled I think the client isn't responding to the radius 
challenge and/or I havent added a source to valid the user 
certificate. I may have missed a step somewhere. I am suppose to 
configure the packetfence-pki as a source somehow? Below are a couple 
of the debug messages I see
root@pf:/home/jonathan# rad_recv: Access-Request packet from host 
192.168.10.2 port 53584, id=50, length=205

User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b0164656e766572
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x9f539de6ac024e0335a4ee4df8aa
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence

+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator = 
0x9f539de6ac024e0335a4ee4df8aa

rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 50 to 192.168.10.2 port 53584
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x76980f77769a16aac51eb549dc9b5fc2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584, 
id=51, length=218

User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02020006030d
State = 0x76980f77769a16aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence

+group authorize {
[suffix] No '@' in 

Re: [PacketFence-users] PacketFence PKI issue

[Jonathan Mahady]

Hi Fabrice,

Thanks for the link. I did follow these instructions but in case I made a
mistake the first time, I deleted the CA cert and started from scratch but
it still failing with the same debug output. Heres is the output of the
section from the eap.conf file:

 tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = %%install_dir%%/conf/ssl/tls_certs/RadServ.key
certificate_file = %%install_dir%%/conf/ssl/tls_certs/RadServ.pem
CA_file = %%install_dir%%/conf/ssl/tls_certs/pf.denver-lab.pem
#private_key_password = whatever
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
   lifetime = 24 # hours
   max_entries = 255
}
verify {
}
ocsp {
enable = yes
override_cert_url = yes
url = "http://127.0.0.1:9292/pki/ocsp/;
}

Do I need to set the private_key_password parameter? On the windows
machine, I can see the client cert in the user accounts personal cert
folder and server cert in the trusted list. I've uploaded some screenshots
of my packetfence and PKI conf to my google drive which you can access
here:
https://drive.google.com/folderview?id=0B3hRBeTEUkSbcW5uclBNcU9ueVE=sharing
. On a final note, the server fqdn is pf.denver-lab which I've confirmed
(just in case there is a CN issue with the cert)

Thanks for your patience and support!

On 11 November 2015 at 20:39, Durand fabrice  wrote:

> Hello Jonathan,
>
> did you configured the certificate on the radius side ?
>
> https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_PKI_Quick_Install_Guide.asciidoc#step-3-configuring-packetfence
> Do you have the CA pub key on the client side ?
>
> Regards
> Fabrice
>
>
> Le 2015-11-11 03:21, Jonathan Mahady a écrit :
>
> Hi Fabrice,
>
> It looks like I didn't join the mailing list correctly (which I joined
> now), so I hope you get this response. Anyway thanks for your speedy reply,
> you're correct, I'd a typo in the extended key usage key. I can't believe I
> missed that. Anyway I can get through the agent process and it installs the
> cert on a windows 7 machine but then I can't connect to the 802.1x wireless
> network. From the radius debugging I enabled I think the client isn't
> responding to the radius challenge and/or I havent added a source to valid
> the user certificate. I may have missed a step somewhere. I am suppose to
> configure the packetfence-pki as a source somehow? Below are a couple of
> the debug messages I see
> root@pf:/home/jonathan# rad_recv: Access-Request packet from host
> 192.168.10.2 port 53584, id=50, length=205
> User-Name = "denver"
> NAS-IP-Address = 192.168.10.2
> NAS-Port = 0
> NAS-Identifier = "192.168.10.2"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "a088b415ed6c"
> Called-Station-Id = "186472cb100c"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0201000b0164656e766572
> Aruba-Essid-Name = "Secure@Denver-Lab"
> Aruba-Location-Id = "18:64:72:cb:10:0c"
> Aruba-AP-Group = "instant-CB:10:0C"
> Message-Authenticator = 0x9f539de6ac024e0335a4ee4df8aa
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "denver", skipping NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "denver", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] = noop
> ++[preprocess] = ok
> [eap] EAP packet type response id 1 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 192.168.10.2
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair Called-Station-Id = 186472cb100c
> rlm_perl: Added pair Message-Authenticator =
> 0x9f539de6ac024e0335a4ee4df8aa
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
> rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
> rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
> rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
> rlm_perl: Added pair User-Name = denver
> rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
> rlm_perl: Added pair NAS-Identifier = 192.168.10.2
> rlm_perl: Added pair EAP-Message = 

Re: [PacketFence-users] PacketFence PKI issue

[Durand fabrice]

Hi Jonathan,

based on the log i thing that extendedKeyUsage is not correctly defined.
Can you check that ?

Regards
Fabrice


Le 2015-11-09 20:45, Jonathan Mahady a écrit :

Hi,

I'm having an issue with the assignment of certificates using the 
packetfence PKI plugin. The plugin resides on the same box as 
Packetfence. The distro is Debian Wheezy and the version of 
packetfence is 5.4. I've configured the CA, the templates and a radius 
server cert. I've then added the PKI details into packetfence but when 
I try to onboard a test user the certificate assignment fails with the 
error that the certificate server cannot be reach. I've trolled 
through the logs and this is a section of the error its reporting:


"
  Error at /pki/cert/rest/get/denver/
  [(asn1 encoding routines, 
a2d_ASN1_OBJECT, first num too large), (X509 
V3 routines, V2I_EXTENDED_KEY_USAGE, invalid 
object identifier), (X509 V3 routines, 
X509V3_EXT_nconf, error in extension)]

  


  Request Method:
  POST


  Request URL:
  https://127.0.0.1:9393/pki/cert/rest/get/denver/



  Django Version:
  1.7.1



  Exception Type:
  Error




  Exception Value:
  [(asn1 encoding routines, 
a2d_ASN1_OBJECT, first num too large), (X509 
V3 routines, V2I_EXTENDED_KEY_USAGE, invalid 
object identifier), (X509 V3 routines, 
X509V3_EXT_nconf, error in extension)]





  Exception Location:
  /usr/local/packetfence-pki/pki/models.py in sign, line 328



  Python Executable:
  /usr/bin/python


  Python Version:
  2.7.3


  Python Path:
[/usr/lib/python2.7,
 /usr/lib/python2.7/plat-linux2,
 /usr/lib/python2.7/lib-tk,
 /usr/lib/python2.7/lib-old,
 /usr/lib/python2.7/lib-dynload,
 /usr/local/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages/PIL,
"

The cert does get generated as I can see it in the packetfence PKI gui 
but it doesn't get assigned to the user. I'm not sure what the issue 
is as I'm not great with this REST API/Python stuff. I would be 
extremely grateful for any advice or pointers.


Cheers,

Jonathan


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence PKI issue

[Jonathan Mahady]

Hi,

I'm having an issue with the assignment of certificates using the
packetfence PKI plugin. The plugin resides on the same box as Packetfence.
The distro is Debian Wheezy and the version of packetfence is 5.4. I've
configured the CA, the templates and a radius server cert. I've then added
the PKI details into packetfence but when I try to onboard a test user the
certificate assignment fails with the error that the certificate server
cannot be reach. I've trolled through the logs and this is a section of the
error its reporting:

"
  Error at /pki/cert/rest/get/denver/
  [(asn1 encoding routines,
a2d_ASN1_OBJECT, first num too large), (X509 V3
routines, V2I_EXTENDED_KEY_USAGE, invalid object
identifier), (X509 V3 routines, X509V3_EXT_nconf,
error in extension)]
  


  Request Method:
  POST


  Request URL:
  https://127.0.0.1:9393/pki/cert/rest/get/denver/



  Django Version:
  1.7.1



  Exception Type:
  Error




  Exception Value:
  [(asn1 encoding routines,
a2d_ASN1_OBJECT, first num too large), (X509 V3
routines, V2I_EXTENDED_KEY_USAGE, invalid object
identifier), (X509 V3 routines, X509V3_EXT_nconf,
error in extension)]




  Exception Location:
  /usr/local/packetfence-pki/pki/models.py in sign, line 328



  Python Executable:
  /usr/bin/python


  Python Version:
  2.7.3


  Python Path:
  [/usr/lib/python2.7,
 /usr/lib/python2.7/plat-linux2,
 /usr/lib/python2.7/lib-tk,
 /usr/lib/python2.7/lib-old,
 /usr/lib/python2.7/lib-dynload,
 /usr/local/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages,
 /usr/lib/python2.7/dist-packages/PIL,
"

The cert does get generated as I can see it in the packetfence PKI gui but
it doesn't get assigned to the user. I'm not sure what the issue is as I'm
not great with this REST API/Python stuff. I would be extremely grateful
for any advice or pointers.

Cheers,

Jonathan
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Packetfence-PKI connection refused error

[Durand fabrice]

Hello Andrew,

the smtp server you defined in the profile refuse the connection, fix 
that and it will work.


Regards
Fabrice


Le 2015-07-26 12:05, Andrew Taylor a écrit :

Hi,

I installed packetfence pki and followed the instructions on the 
packetfence git, everything seems to have worked fine, except when I 
go to download/send a certificate… I get the following traceback:

http://dpaste.com/3N0DY7F

any ideas?

Cheers

A.


--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence-PKI connection refused error

[Andrew Taylor]

Hi, 

I installed packetfence pki and followed the instructions on the packetfence 
git, everything seems to have worked fine, except when I go to download/send a 
certificate… I get the following traceback:
http://dpaste.com/3N0DY7F http://dpaste.com/3N0DY7F

any ideas?

Cheers

A. --
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users