On Wed, March 13, 2024 09:25, Martin Bartosch wrote:
> Hi James,
>
. . .
>
> 1. the output of openxpkicli get_token_info (file in file system) is not
> consistent with your configuration (key in datapool). I have no idea why,
> because I cannot see more details on your system, but to me it looks like the
> ca-signer token configuration is not the config the system is using
>
> 2. the config snippet is missing the definition for "default" in crypto.yaml
> where I assume the secret group is defined. If that does not match the secret
> group you seemingly intend to use for your ca signer tokens (which you named
> "ca-signer") then the passphrase will not be set correctly. Again, without
> being able to see more or your config it is impossible to tell.
This is the diff between the current config.d and the original before any
changes were made.
# git diff -G. hllv1.00 -- --follow config.d
diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
index 95614f5..bda48a1 100644
--- a/config.d/realm.tpl/crypto.yaml
+++ b/config.d/realm.tpl/crypto.yaml
@@ -15,7 +15,8 @@ token:
# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
# KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
- key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+# key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
+ key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
@@ -42,7 +43,8 @@ token:
vault:
inherit: default
- key: /etc/openxpki/local/keys/[% ALIAS %].pem
+# key: /etc/openxpki/local/keys/[% ALIAS %].pem
+ key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem
ratoken:
inherit: default
@@ -58,6 +60,13 @@ token:
# Define the secret groups
secret:
+
+ ca-signer:
+ label: Secret group for certsign Token
+ export: 1
+ method: literal
+ value: "democa"
+
default:
# this let OpenXPKI use the secret of the same name from system.crypto
# if you do not want to share the secret just replace this line with
@@ -69,4 +78,4 @@ secret:
label: Secret group for RA Token
export: 1
method: literal
- value: root
\ No newline at end of file
+ value: root
diff --git a/config.d/system/database.yaml b/config.d/system/database.yaml
old mode 100644
new mode 100755
index 472217a..3043863
--- a/config.d/system/database.yaml
+++ b/config.d/system/database.yaml
@@ -1,9 +1,9 @@
main:
debug: 0
- type: MariaDB
+ type: PostgreSQL
name: openxpki
host: localhost
- port: 3306
+ port: 5432
user: openxpki
passwd: openxpki
diff --git a/config.d/system/realms.yaml b/config.d/system/realms.yaml
old mode 100644
new mode 100755
index 9b0036b..bc50e30
--- a/config.d/system/realms.yaml
+++ b/config.d/system/realms.yaml
@@ -4,3 +4,7 @@
democa:
label: Example.org Demo CA
baseurl: https://pki.example.com/openxpki/
+
+hll_ca2016:
+ label: Harte & Lyne Limited CA
+ baseurl: https://openxpki-3.internal.harte-lyne.ca/openxpki/
diff --git a/config.d/system/server.yaml b/config.d/system/server.yaml
old mode 100644
new mode 100755
index e667f0f..2b4d741
--- a/config.d/system/server.yaml
+++ b/config.d/system/server.yaml
@@ -1,19 +1,20 @@
# Shown in the processlist to distinguish multiple instances
-name: main
+name: hll_main
# Location of the log4perl configuration
-log4perl: /etc/openxpki/log.conf
+#log4perl: /etc/openxpki/log.conf
+log4perl: /usr/local/etc/openxpki/log.conf
# Daemon settings
user: openxpki
group: openxpki
socket_file: /var/openxpki/openxpki.socket
-pid_file: /run/openxpkid.pid
+pid_file: /var/run/openxpkid.pid
stderr: /var/log/openxpki/stderr.log
tmpdir: /var/tmp
# we need to give write permission to the socket for the webserver
-socket_owner: www-data
+socket_owner: www
# This is experimental!
#type: PreFork
>
> 2a. a fixed value for a CA key is not a good idea
True, On the other hand this is a proof of concept test and literal values
allow one to grep for things.
>
> Bottom line: your system cannot access the private key, and this is either a
> permission problem or a problem with the CA passphrase.
The passphrase has been verified as correct as I can expose the private key
using openssl.
The service script provided with the pr-openxpki pkg from FreeBSD ports trashes
the permissions and ownerships. I ran that instead of openxpkictl (once) and
discovered that the hard way. So a permissions problem is possible. On the
other hand I have just completed a thorough check of file permissions against
those in the community branch and these are all the same.
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
