Re: [OpenXPKI-users] EST basics OpenXPKI v3.2.1
Hi Oliver, I just realized that this is very similar to a problem already posted here before. I will try your suggestion on that post: https://sourceforge.net/p/openxpki/mailman/message/36883604/ Regards, Jeff On Tue, 7 Jan 2020 at 16:59, Jefferson Dümes wrote: > Hi Oliver, > > I am still fighting with EST and now I did a curl against the proper > endpoint: "simpleenroll" > > "curl https://172.31.1.201/.well-known/est/simpleenroll -s -o meuteste.p7 > --data-binary @req.p10 -H "Content-Type: application/pkcs10" --dump-header > resp.hdr" > > I get this in Technical Log: > WARN > No policy params set in LoadPolicy (anonymous) > > And this in Workflow history: > enroll_render_subject > EXCEPTION: > I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE; > __PROFILE__ => EMPTY, __STYLE__ => enroll > > $ cat meuteste.p7 > Internal Server Error > > In est.log I see a " 'wf_exception' => > 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE'," > but I can not follow what that means. > > Regards, > Jeff > > > On Mon, 23 Dec 2019 at 09:43, Oliver Welter wrote: > >> Hi Jeff, >> >> while trying to track down the empty debug message I recognized that >> simple_re_enroll is not properly handled by the current script. Please >> use "simpleenroll" for the moment or use the patched version from github. >> >> Oliver >> >> Am 20.12.19 um 13:17 schrieb Jefferson Dümes: >> > Hi people, >> > >> > I am missing something in my tests when trying the simpleenroll just >> > like the example in Step 4 from http://testrfc7030.com/. >> > >> > Initially I left out the "--anyauth -u estuser:estpwd" part cause I >> > don't know what should I enter in it. Then tryed a valid operator user, >> > but the logs still show " EST unauthenticated (no cert) ". >> > >> > The Question is, what I am missing ? >> > >> > >> > --- >> > curl https://172.31.1.25/.well-known/est/simplereenroll --anyauth -u >> > raop:openxpki -s -o meuteste.p7 --cacert cacerts.pem >> > --data-bin│techsupp@j00s-tpki01:mgmt-automation$ sudo systemctl >> restart >> > openxpkid >> > ary @req.p10 -H "Content-Type: application/pkcs10" --dump-header >> resp.hdr >> > >> > --- >> > tail -f /var/log/openxpki/est.log >> > 2019/12/20 11:47:28 INFO:28251 EST handler initialized >> > 2019/12/20 11:47:28 DEBUG:28251 Incoming request >> > /.well-known/est/simplereenroll >> > 2019/12/20 11:47:28 DEBUG:28251 calling context is https >> > 2019/12/20 11:47:28 DEBUG:28251 EST unauthenticated (no cert) >> > 2019/12/20 11:47:28 TRACE:28251 >> > 2019/12/20 11:47:28 INFO:28251 Disconnect client >> > 2019/12/20 11:47:28 DEBUG:28251 Initialize client >> > 2019/12/20 11:47:28 DEBUG:28251 Started volatile session with id: >> > vrrUw48GQpmK7Q9N4qP4mg== >> > 2019/12/20 11:47:28 DEBUG:28251 Selecting realm automation >> > >> > Regards, >> > Jeff >> > >> > >> > ___ >> > OpenXPKI-users mailing list >> > OpenXPKI-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> ___ >> OpenXPKI-users mailing list >> OpenXPKI-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] EST basics OpenXPKI v3.2.1
Hi Oliver, I am still fighting with EST and now I did a curl against the proper endpoint: "simpleenroll" "curl https://172.31.1.201/.well-known/est/simpleenroll -s -o meuteste.p7 --data-binary @req.p10 -H "Content-Type: application/pkcs10" --dump-header resp.hdr" I get this in Technical Log: WARN No policy params set in LoadPolicy (anonymous) And this in Workflow history: enroll_render_subject EXCEPTION: I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE; __PROFILE__ => EMPTY, __STYLE__ => enroll $ cat meuteste.p7 Internal Server Error In est.log I see a " 'wf_exception' => 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE'," but I can not follow what that means. Regards, Jeff On Mon, 23 Dec 2019 at 09:43, Oliver Welter wrote: > Hi Jeff, > > while trying to track down the empty debug message I recognized that > simple_re_enroll is not properly handled by the current script. Please > use "simpleenroll" for the moment or use the patched version from github. > > Oliver > > Am 20.12.19 um 13:17 schrieb Jefferson Dümes: > > Hi people, > > > > I am missing something in my tests when trying the simpleenroll just > > like the example in Step 4 from http://testrfc7030.com/. > > > > Initially I left out the "--anyauth -u estuser:estpwd" part cause I > > don't know what should I enter in it. Then tryed a valid operator user, > > but the logs still show " EST unauthenticated (no cert) ". > > > > The Question is, what I am missing ? > > > > > > --- > > curl https://172.31.1.25/.well-known/est/simplereenroll --anyauth -u > > raop:openxpki -s -o meuteste.p7 --cacert cacerts.pem > > --data-bin│techsupp@j00s-tpki01:mgmt-automation$ sudo systemctl restart > > openxpkid > > ary @req.p10 -H "Content-Type: application/pkcs10" --dump-header resp.hdr > > > > --- > > tail -f /var/log/openxpki/est.log > > 2019/12/20 11:47:28 INFO:28251 EST handler initialized > > 2019/12/20 11:47:28 DEBUG:28251 Incoming request > > /.well-known/est/simplereenroll > > 2019/12/20 11:47:28 DEBUG:28251 calling context is https > > 2019/12/20 11:47:28 DEBUG:28251 EST unauthenticated (no cert) > > 2019/12/20 11:47:28 TRACE:28251 > > 2019/12/20 11:47:28 INFO:28251 Disconnect client > > 2019/12/20 11:47:28 DEBUG:28251 Initialize client > > 2019/12/20 11:47:28 DEBUG:28251 Started volatile session with id: > > vrrUw48GQpmK7Q9N4qP4mg== > > 2019/12/20 11:47:28 DEBUG:28251 Selecting realm automation > > > > Regards, > > Jeff > > > > > > ___ > > OpenXPKI-users mailing list > > OpenXPKI-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > -- > Protect your environment - close windows and adopt a penguin! > > ___ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Special characters in subject
Hello and happy new year Sorry for opening this old case but i saw that something changed by upgrading to 2.5.5. The parts where I have changed the regex is gone. I have tried to add the matching inside the profiles but I still get an 'Subject is invalid' from the workflow. The OU part should be something like OU=MS/2 and is recognized as OU= I have added 'match: \A [a-zA-Z0-9\@\-_\.\&\/\s\%\*\+\=\,\:\ ]* \z' tot he ou template without any effect. The 'search_cert' part within OpenXPKI::Server::API looks different now Where do I have to change the regex now? Regards Andreas -Ursprüngliche Nachricht- Von: Oliver Welter Gesendet: Freitag, 25. August 2017 08:27 An: openxpki-users@lists.sourceforge.net Betreff: Re: [OpenXPKI-users] Special characters in subject Hi Andreas, this is not a "edit here" problem - if you want to try, have a look at the regex filters in OpenXPKI::Server::API for e.g. search_cert. It might work with just relaxing the regex. We have just started a rework of the API and will adress this problem, so perhaps it is an option for you to contribute to the overall development ;) Oliver Am 21.08.2017 um 11:31 schrieb andreas.krie...@o-s.de: > Hi Oliver. > > Can you tell which file I have to look for to get it to work please? > Maybe I can fix it by myself :) > > > Mit freundlichen Grüßen / Best regards > > Andreas Krieger > > > > Hi Andreas, > >> Are there any issues using special characters within the subject like >> in the fields O und OU > We have a slash in our OU and a & and . in >> our O. If I don't use them > it works just fine but when I use them those characters the creation of the > subject fails. > To be honest, we never took care on special chars in the subject parts as our > main customers did not demand for it. Besides the problem that openssl is a > bit picky on some things a lot of sanitization rules do not handle such chars > correctly internally - so it is just not working yet. > > Oliver > > > -- > Protect your environment - close windows and adopt a penguin! > > -- > Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] SAN-IP database error
Hi Robert, > I'm new to openxpki and installed the current stable on Buster via the debian > repo. > After several beginner-issues everything works fine now, except if I'm > entering a IPv4 address as SAN field. The approval will then be paused > because of a "backend communication error". In the majority of use cases your users will be addressing the end entities holding your certifiates by DNS names - and not IP addresses. Hence an IP address does not have to be included in the certificate. My reasoning is that a certificate profile should only include the necessary information to perform the job. If you include more fuzz, it still works, but it's unnecessary fuzz. And once you have introduced unnecessary fuzz into your PKI you will never get rid of it later because you don't know what might break if you do. So don't do it in the first place :) Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
