Hi Eddy,
are you using an older config? There was a problem with a spelling
difference in the profile names.
The profile to issue is taken from scep/generic.yaml and should be
visible in the workflow context as cert_profile, this must match the
name of the profile (yaml file name) in profiles. Please look closely,
we had mixed up dashes and underscores in an earlier version of the
example config.
Oliver
On 26.06.24 11:37, Eddy BODIN via OpenXPKI-users wrote:
Hi Oliver,
Thank you for your reply. The situation has changed a bit, after
pushing a new certificate chain (root, certsign, scep), the enrollment
now goes further. And now I get an error that seems to be similar to
Jairo R. Mejia Aponte's post :
https://sourceforge.net/p/openxpki/mailman/message/58788506/
I saw your answer in this post, and I tried to change the URL
(../scep/generic) but the result is the same, I got an invalid profile.
Best regards
Eddy
_SSCEP logs:_
sscep enroll -u http://192.168.1.153:80/scep/generic -v -d -k
local.key -r local.csr -l local.crt -c pki2.crt-0
sscep: PKCS#7 contains 0 bytes of enveloped data
sscep: verifying signature
sscep: signature ok
sscep: finding signed attributes
sscep: finding attribute transId
sscep: allocating 32 bytes for attribute
sscep: reply transaction id: 65950E20937C5635E1D2F510E19985E9
sscep: finding attribute messageType
sscep: allocating 1 bytes for attribute
sscep: reply message type is good
sscep: finding attribute senderNonce
sscep: allocating 16 bytes for attribute
sscep: senderNonce in reply: 4D3889B2BF799BBFE1FCB54F90477B00
sscep: finding attribute recipientNonce
sscep: allocating 16 bytes for attribute
sscep: recipientNonce in reply: C68880C978F23DDFA9AC7947142D9E1F
sscep: finding attribute pkiStatus
sscep: allocating 1 bytes for attribute
sscep: pkistatus: FAILURE
sscep: finding attribute failInfo
sscep: allocating 1 bytes for attribute
sscep: reason: Transaction not permitted or supported
_OpenXPKI logs:_
==> /var/log/openxpki/openxpki.log <==
2024/06/26 05:24:33 INFO Login successful (user: Anonymous, role:
System) [pid=4071|sid=BX+t|pki_realm=democa]
==> /var/log/openxpki/catchall.log <==
2024/06/26 05:24:33 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=4071|sid=BX+t|pki_realm=democa]
==> /var/log/openxpki/openxpki.log <==
2024/06/26 05:24:33 INFO Login successful (user: Anonymous, role:
System) [pid=4072|sid=U4NR|pki_realm=democa]
==> /var/log/openxpki/catchall.log <==
2024/06/26 05:24:33 openxpki.auth.INFO Login successful (user:
Anonymous, role: System) [pid=4072|sid=U4NR|pki_realm=democa]
==> /var/log/openxpki/scep.log <==
2024/06/26 05:24:33 ERR Request was rejected:
I18N_OPENXPKI_UI_INVALID_PROFILE [pid=3930|ep=generic]
2024/06/26 05:24:33 WAR Client error / malformed request: badRequest
(internal code: 40006) [pid=3930|ep=generic]
CSR:
Certificate Request: Data: Version: 1 (0x0) Subject:
CN=PetitPoucet, C=FR, O=SE, OU=RnD Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public-Key:
(4096 bit) Modulus:
00:a3:f5:ca:b3:b2:e0:56:6b:a9:96:c5:b6:40:fa:
3b:a9:4a:... Exponent: 65537 (0x10001)
Attributes: challengePassword :SecretChallenge
Requested Extensions: X509v3 Key Usage:
Digital Signature, Key Encipherment X509v3
Extended Key Usage: TLS Web Server Authentication,
TLS Web Client Authentication Signature Algorithm:
sha256WithRSAEncryption Signature Value:
5d:b3:a8:75:b1:df:8c:c1:6f:e9:a1:cd:c9:69:42:3b:7d:31:
57:8d:02:f8:...
General
------------------------------------------------------------------------
*De :* Oliver Welter <[email protected]>
*Envoyé :* mercredi 26 juin 2024 07:32
*À :* [email protected]
<[email protected]>
*Objet :* Re: [OpenXPKI-users] [SCEP] HTTP Error 500 with OpenXpki
v3.30.3
[External email: Use caution with links and attachments]
------------------------------------------------------------------------
Hi Eddy,
it works here for me on our demo without any problems, do you have any
specialitites in the CSR? Whats in the logs?
Oliver
On 23.06.24 21:30, Eddy BODIN via OpenXPKI-users wrote:
Hello,
I have just performed a new installation of OpenXPKI v.30.3 with
the APT mechanism on my Debian 12.5.0 virtual machine but when I
try to enroll with SSCEP v0.10.0 (SSCEP is on another Debian
12.5.0 VM - also newly installed), I get an HTTP 500 error code
from OpenXPKI. Should I add a new argument to SSCEP for enrollment?
PS: To install OpenXPKI, I used the quick start documentation and
the sampleconfig.sh script. The only file I configured was
*/etc/openxpki/config.d/system/database.yaml* to */type: MariaDB2/*
root@debian:~/sscep-master/001# sscep enroll -u
http://192.168.1.112/scep/scep <http://192.168.1.112/scep/scep> -c
pki.crt-0 -k local.key -r local.csr -l local.crt -d
sscep: starting sscep, version 0.10.0
sscep: new transaction
sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
sscep: hostname: 192.168.1.112
sscep: directory: scep/scep
sscep: port: 80
sscep: SCEP_OPERATION_GETCAPS
sscep: scep request:
...
sscep: connecting to 192.168.1.112:80 <http://192.168.1.112/>
sscep: server response status code: 500, MIME header: text/html
sscep: wrong (or missing) MIME content type
sscep: error while sending message
root@debian:~/sscep-master/001#
PS: sscep getca works well
Best Regards
Eddy
General
_______________________________________________ OpenXPKI-users
mailing list [email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
-- Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
