Hi Oliver,
Thanks for the reply. Both generic and scep endpoint returns the same result. I
found something interesting, this is the output when I execute the
sampleconfig.sh once:
docker exec -it openxpki-docker-openxpki-server-1 /bin/bash
/etc/openxpki/contrib/sampleconfig.sh
Fully automated sample setup using tmpdir /tmp/tmp.o2pq4LHEgF
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Successfully imported certificate
into database:
Subject: CN=OpenXPKI Root CA 20240626
Issuer: CN=OpenXPKI Root CA 20240626
Identifier: nPo7UqdVydQ95xBY-g5XagjeaKU
Realm: none
done.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Module rewrite already enabled
Module headers already enabled
Site openxpki already enabled
Site 000-default already disabled
Site default-ssl already disabled
Doing /etc/ssl/certs
OpenXPKI configuration should be and server should be running...
root@260c601a6567:/var/log/openxpki# openxpkiadm alias --realm democa
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: FCzZAVlVeXLvJuxzZFIG3c_XRN0
NotBefore : 2024-06-26 08:36:34
NotAfter : 2034-06-29 08:36:34
ratoken (scep):
Alias : ratoken-1
Identifier: IcW0gW4KH5UQ9ajSaxQdhWc5Ye8
NotBefore : 2024-06-26 08:36:34
NotAfter : 2025-06-26 08:36:34
ratoken (cmcra):
Alias : ratoken-1
Identifier: IcW0gW4KH5UQ9ajSaxQdhWc5Ye8
NotBefore : 2024-06-26 08:36:34
NotAfter : 2025-06-26 08:36:34
ca-signer (certsign):
Alias : ca-signer-1
Identifier: 3LyloL0Y0KncuFrrdtXWuwm72I0
NotBefore : 2024-06-26 08:36:33
NotAfter : 2029-06-28 08:36:33
=== root ca ===
current root ca:
not set
upcoming root ca:
not set
As you see, there is no Root CA, it was not set during the sampleconfig.sh.
When that happens, I get the same result 500 MIME Header errors than Eddy.
Following are the logs from scep with that configuration, this process did not
trigger a Workflow:
DEB Config for service 'scep' loaded [pid=71|]
INF SCEP handler initialized [pid=71|]
DEB Autodetect config file for service 'scep': generic.conf
[pid=71|endpoint=generic]
DEB No config file found, falling back to default [pid=71|endpoint=generic]
DEB added config to cache generic [pid=71|endpoint=generic]
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'generic'
[pid=71|server=generic|endpoint=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|endpoint=generic|server=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: y2ZbhLVNQd2Ay5apTnIKTA==
[pid=71|endpoint=generic|server=generic]
DEB Selecting auth stack _System [pid=71|endpoint=generic|server=generic]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|server=generic|endpoint=generic]
DEB Incoming SCEP operation 'GetCACert' on endpoint 'generic'
[pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|endpoint=generic|server=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: G2frL/QFSPC1x5VNgRy2iw==
[pid=71|endpoint=generic|server=generic]
DEB Selecting auth stack _System [pid=71|endpoint=generic|server=generic]
DEB Workflow "scep_getcacert" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|endpoint=generic|server=generic]
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'generic'
[pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Calling context is plain HTTP [pid=71|server=generic|endpoint=generic]
DEB Initialize client [pid=71|endpoint=generic|server=generic]
DEB Started volatile session with id: PpsUh0yGSWql1uSmJ/J8Dg==
[pid=71|server=generic|endpoint=generic]
DEB Selecting auth stack _System [pid=71|server=generic|endpoint=generic]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|server=generic|endpoint=generic]
DEB HTTP status: [200 OK] [pid=71|endpoint=generic|server=generic]
DEB Incoming SCEP operation 'PKIOperation' on endpoint 'generic'
[pid=71|server=generic|endpoint=generic]
DEB Got PKIOperation via POST [pid=71|endpoint=generic|server=generic]
DEB Config created [pid=71|server=generic|endpoint=generic]
DEB Initialize client [pid=71|server=generic|endpoint=generic]
DEB Started volatile session with id: s5PIas8PSrWYSR9P/ufp3A==
[pid=71|server=generic|endpoint=generic]
DEB Selecting auth stack _System [pid=71|server=generic|endpoint=generic]
ERR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED
[pid=71|endpoint=generic|server=generic]
DEB HTTP status: [500 Unable to initialize endpoint parameters]
[pid=71|endpoint=generic|server=generic]
ERR Unable to initialize endpoint parameters
[pid=71|server=generic|endpoint=generic]
DEB Disconnect client [pid=71|server=generic|endpoint=generic]
If I go to Information > System status. I see the following message:
Your system status is critical!
OpenXPKI system status
No CRL found!
---
Active Encryption Token
not available (vault-4)
System Version
3.30.3
Hostname
1b6296df61d6
Config Version
commit
config
3.28
dbschema
3
If I run with the user raop to generate a certificate through the website,
creating a key, etc. The workflow stays with:
PAUSED: Certificate signing token is not online, count try 1, wakeup at
2024-06-26T09:44:07
If after executing a certificate in the website, I execute again the
sampleconfig, I see a difference in the response:
Fully automated sample setup using tmpdir /tmp/tmp.OoRZMbp9K3
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Successfully imported certificate
into database:
Subject: CN=OpenXPKI Root CA 20240626
Issuer: CN=OpenXPKI Root CA 20240626
Identifier: 89tR34ocTwuJMZN1W_82A00apzY
Realm: none
Successfully wrote key to /etc/openxpki/local/keys/vault-5.pem
Successfully wrote alias:
Alias : vault-5
Identifier: 7k8pTLuD8eG3a9XbliRs28Vt6tU
NotBefore : 2024-06-26 09:39:55
NotAfter : 2034-06-29 09:39:55
Successfully wrote key to datapool with key 'ca-signer-5'
Successfully wrote alias:
Alias : ca-signer-5
Identifier: SR_Xk8JDQdUxD7WGfTMYl5r6O3g
NotBefore : 2024-06-26 09:39:54
NotAfter : 2029-06-28 09:39:54
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-5
Identifier: 89tR34ocTwuJMZN1W_82A00apzY
NotBefore : 2024-06-26 09:39:54
NotAfter : 2034-06-29 09:39:54
Successfully wrote key to datapool with key
'51:6D:71:C6:DF:80:F6:97:1F:61:D9:92:DA:ED:1B:A1:5F:34:F9:6E'
Successfully wrote alias:
Alias : ratoken-5
Identifier: vkDEyGogarI0389vqb1u_RNt0VA
NotBefore : 2024-06-26 09:39:55
NotAfter : 2025-06-26 09:39:55
done.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Module rewrite already enabled
Module headers already enabled
Site openxpki already enabled
Site 000-default already disabled
Site default-ssl already disabled
Doing /etc/ssl/certs
---
After that, I got a Root CA and the ENROLLMENT with SSCEP is working as
expected. My problem was that I did the first SSCEP before having a valid Root
CA and because I did not change the key, it always went to the same workflow
with the error. But if I change the key after having a valid root CA and being
able from the website of generating a certificate is possible later with SCEP
and a new key and valid CN.
It seems that there is a problem with the import of the CA the first time, but
I don't understand why I don't see any logs when executing the bash script. I
also added the yaml file to wait for the database, as the documentation
suggested. I verify that the certificate was signed, and everything seems fine
in the tmp file. Nevertheless, the system does not detect the Root CA the first
time.
openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE}"
From Web UI Status:
Active Encryption Token not available (vault-1)
Best Regards,
Mit freundlichen Grüßen,
Jairo R. Mejia Aponte | Embedded Software Linux Junior Engineer
Netmodule | Hirschmann Automation & Control GmbH
Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany
[email protected]<mailto:[email protected]> |
www.netmodule.com<http://www.netmodule.com/> |
www.belden.com<http://www.belden.com/>
________________________________
From: Oliver Welter <[email protected]>
Sent: Wednesday, June 26, 2024 07:36
To: [email protected] <[email protected]>
Subject: Re: [OpenXPKI-users] [SCEP] Enrollment failing with
I18N_OPENXPKI_UI_INVALID_PROFILE with OpenXPKI v3.30.3
Hello, what URL did you use for enrolling? You must use a valid endpoint
definition, so the one in the sample config is http: //. . . . /scep/generic
Oliver On 25. 06. 24 11: 30, Jairo Mejia Aponte wrote: Hello, I have just
performed a new installation
ZjQcmQRYFpfptBannerStart
External Message:Use caution before opening links or attachments
ZjQcmQRYFpfptBannerEnd
Hello,
what URL did you use for enrolling? You must use a valid endpoint definition,
so the one in the sample config is http://..../scep/generic
Oliver
On 25.06.24 11:30, Jairo Mejia Aponte wrote:
Hello,
I have just performed a new installation of OpenXPKI v.30.3 with Docker in a
Debian 12 host. I tried to enroll with SSCEP v0.10.0, as the documentation from
the docker repo and the quickstart
guide<https://openxpki.readthedocs.io/en/latest/quickstart.html> suggested. I
used the community configuration. The only difference from the basic
configuration is that I increased the logging level and the real_mode as
suggested in a previous Mailing List message when working with a hostname
instead of path (default).
The GETCA operation works, but as soon as I wanted to ENROLL, I got problems. I
received a pkistatus FAILURE in the client and the reason: "Transaction not
permitted or supported". When I looked at the logs and the workflow in the
WebUI, I found out that the process is failing just at the end after parsing
the PKCS10 in the state PROFILE_SET with global_set_error_invalid_profile. The
logs from the SCEP server are:
DEB Incoming SCEP operation 'GetCACaps' on endpoint 'scep'
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Config created
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Calling context is plain HTTP
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Initialize client
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Started volatile session with id: j6S7lRUpQMSHXnCof9xcEw==
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
DEB Selecting auth stack _System
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Workflow "scep_getcacaps" created: id #0, state "SUCCESS"
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB HTTP status: [200 OK]
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Incoming SCEP operation 'PKIOperation' on endpoint 'scep'
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Got PKIOperation via POST
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Config created
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Initialize client
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Started volatile session with id: 3XblKVKDQo+9bKed/z8ysQ==
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Selecting auth stack _System
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Handle enrollment
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Calling context is plain HTTP
[pid=71|server=scep|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep]
DEB Adding extra parameters for message type 'PKCSReq'
[pid=71|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60|server=scep]
DEB Pickup via attribute: transaction_id = 6EA7B80F360928775E046C0C3A5FED60
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Pick up workflow #2303
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB HTTP status: [400 Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE]
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
ERR Request was rejected: I18N_OPENXPKI_UI_INVALID_PROFILE
[pid=71|server=scep|endpoint=scep|tid=6EA7B80F360928775E046C0C3A5FED60]
WAR Client error / malformed request: badRequest (internal code: 40006)
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
DEB Disconnect client
[pid=71|tid=6EA7B80F360928775E046C0C3A5FED60|endpoint=scep|server=scep]
Workflow history:
INITIAL enroll_initialize
INITIAL_ENROLL_INITIALIZE_0 global_map_url_params
INITIAL_ENROLL_INITIALIZE_1 enroll_set_transaction_id
INITIAL_ENROLL_INITIALIZE_2 enroll_set_workflow_attributes
INITIAL_ENROLL_INITIALIZE_3 global_load_policy
INITIAL_ENROLL_INITIALIZE_4 global_set_profile
INITIAL_ENROLL_INITIALIZE_5 enroll_parse_pkcs10
PARSED global_noop
PROFILE_SET global_set_error_invalid_profile
Any information in previous messages was helpful for this error, the only
message was this
thread<https://sourceforge.net/p/openxpki/mailman/message/37854953/>, but it
was related to EST and at least from me, this was not the solution. Do you have
any idea what could be the problem?
Happy coding and best Regards,
Jairo R. Mejia Aponte | Embedded Software Linux Junior Engineer
Netmodule | Hirschmann Automation & Control GmbH
Location Eschborn | Frankfurter Str. 10-14 | 65760 Eschborn | Germany
[email protected]<mailto:[email protected]> |
www.netmodule.com<http://www.netmodule.com/> |
www.belden.com<http://www.belden.com/>
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
