Hi again. :-)
I wrote a small patch for lib/cmds/scepPKIOperation and
lib/funktions/misc-utils.lib and added the necsessary error handling:
~# cd $OPENCADIR/openca/lib/cmds/ && patch scepPKIOperation <
scepPKIOperation.patch
scepPKIOperation.patch:
--- scepPKIOperation.orig 2006-07-14 20:07:56.000000000 +0200
+++ scepPKIOperation 2006-07-14 20:06:58.000000000 +0200
@@ -115,11 +115,11 @@
$ChainDir = getRequired ("ChainDir");
- foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
+ foreach my $value (qw(ScepAllowEnrollment ScepAllowRenewal
ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
- my $val = getRequired($_);
- eval "\$$_ = \$val";
+ my $val = getRequired($value);
+ eval "\$$value = \$val";
}
$p7_file = getRequired ( 'tempdir' ) . "/scep_pkiOp_$$.p7";
now the scep client gets:
"HTTP/1.1 200 OK\r
Date: Fri, 14 Jul 2006 15:26:04 GMT\r
Server: Apache\r
Set-Cookie: CGISESSID=5491a77b57ebf2c19f9c0c88b042e4fe; path=/\r
Connection: close\r
Content-Type: text/html\r
\r
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; lang="C"
xml:lang="C"><head><title>Configuration Error</title>
</head><body bgcolor="#FFFFFF"><CENTER><BR><HR
WIDTH=80%><BR></CENTER><OL><OL><H1><FONT COLOR=red>Error
690</FONT></H1><OL> <B>Configuration Error</B>. Missing Configuration
Keyword : ScepDefaultRA.</OL></OL></OL>
</PRE><CENTER><HR WIDTH=80%></CENTER>
<FONT SIZE="+0">
</BODY>
</HTML>
"
And for printing it into stderr.log (because the client perhaps isn't
interested in):
~# cd $OPENCADIR/openca/lib/functions && patch misc-utils.lib <
misc-utils.lib.patch
misc-utils.lib.patch:
--- misc-utils.lib.orig 2006-07-14 20:14:15.000000000 +0200
+++ misc-utils.lib 2006-07-14 20:15:06.000000000 +0200
@@ -118,6 +118,7 @@
## If there is an Error, just send the missing
## parameter error to the browser
+ print STDERR "ERROR: Missing Configuration Keyword :
$name\n";
configError( i18nGettext ("Missing Configuration Keyword :
__KEY__", "__KEY__", $name) );
}
if there is a configuration error. Please test it. It works for me.
HTH and a nice Weekend
Ralf
Ralf Hornik Mailings schrieb:
> Dear list,
>
> finally I fixed this problem. After a deep flight into the OpenCA code I
> found the following in openca/lib/cmds/scepPKIOperation:
>
> ---8<---
> ...
> sub cmdscepPKIOperation
> ...
> foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
> ScepDefaultRA ScepRenewalRDNMatch
> ScepKeepSubjectAltName ScepAutoApprove)) {
> my $val = getRequired($_);
> eval "\$$_ = \$val";
> }
> ...
> --->8---
>
> I estimate that EACH of the values is required and my scep.conf.template
> shows:
>
> ---8<---
> ## ============== [ General Section ] =========================
>
> ScepAllowEnrollment "YES"
> ScepAllowRenewal "YES"
> ScepKeepSubjectAltName "YES"
>
> ScepRenewalRDNMatch ""
>
> # Defaults for initial enrollment
> ScepDefaultRole "User"
> #ScepDefaultRA "MyRA"
>
> ScepAutoApprove "NO"
> --->8---
>
> 'ScepDefaultRA' was uncommented...so the compilation of
> cmdScepPKIOperation failed. After uncommenting this value the compilation
> was successfull.
>
> Wouldn't it be better, to give a little bit more error handling here like:
>
> foreach $value (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
> ScepDefaultRA ScepRenewalRDNMatch
> ScepKeepSubjectAltName ScepAutoApprove)) {
> die "$value missing in configfile: $!" if not defined $value;
> my $val = getRequired($value);
>
> This would save much time and nerves. ;-)
>
> However, after fixing this and reading the other SCEP related mails SCEP
> works now. And I had not to make the scep direktive seperately. I think on
> OpenCA 0.9.2.5 this issue has been removed.
>
> Thanks
>
> Ralf
>
>
>>Ralf Hornik Mailings schrieb:
>>Hi Martin,
>>
>>Both debugging flags are enabled, there is no other output.
>>However, the openca-scep commands work, when I make it manually using the
>>shell.
>>
>>I think, the problem is on the webinterface.
>>
>>Regards
>>
>>Ralf
>>
>>
>>>Martin Bartosch schrieb:
>>>Hi,
>>>
>>>
>>>>The exact error output with debugging enabled is:
>>>
>>>there are no SCEP debug messages in the log file. Did you set both
>>>Debug flags to 1 in log.xml? Such as:
>>>
>>><openca>
>>> <debug>1</debug>
>>> <stderr>/usr/local/openca-0.9.2/var/log/stderr.log</stderr>
>>> <log>
>>> <debug>1</debug>
>>> <slots>
>>>...
>>>
>>>After setting this you should restart OpenCA.
>>>
>>>You should get debug messages like the sample below. Please post this
>>>output.
>>>
>>>cheers
>>>
>>>Martin
>>>
>>>
>>>OpenCA::AC-> access granted
>>>OpenCA::AC->initToken: starting
>>>OpenCA::AC->initToken: successfully finished
>>>cmds->cmdScepPKIOperation: execute5: /usr/local/bin/openca-scep -in /
>>>usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_transid
>>>cmds->cmdScepPKIOperation: Pipe returned error code 0
>>>cmds->cmdScepPKIOperation: tid:
>>>cmds->cmdScepPKIOperation: execute_bt: /usr/local/bin/openca-scep -
>>>in /usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
>>>certs/local/scep-key.pem -passin env:pwd -noout -print_scert > /usr/
>>>local/openca-0.9.2/var/tmp/scep_client_12872.crt
>>>cmds->cmdScepPKIOperation: Backtick expansion returned error code 0
>>>cmds->cmdScepPKIOperation: execute1: /usr/local/bin/openca-scep -in /
>>>usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_msgtype
>>>cmds->cmdScepPKIOperation: Pipe returned error code 0
>>>cmds->cmdScepPKIOperation: msgtype: PKCSReq (19)
>>>
>>>cmds->cmdScepPKIOperation: execute6: /usr/local/bin/openca-scep -in /
>>>usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
>>>certs/local/scep-key.pem -passin env:pwd -noout -print_req
>>>cmds->cmdScepPKIOperation: Pipe returned error code 0
>>>cmds->cmdScepPKIOperation: csr: -----BEGIN CERTIFICATE REQUEST-----
>>>...
>>>
>>>
>>>All the advantages of Linux Managed Hosting--Without the Cost and Risk!
>>>Fully trained technicians. The highest number of Red Hat certifications
>>>in
>>>the hosting industry. Fanatical Support. Click to learn more
>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
>>>_______________________________________________
>>>Openca-Users mailing list
>>>[email protected]
>>>https://lists.sourceforge.net/lists/listinfo/openca-users
>>>
>>
>>
>>--
>>
>>
>>
>>All the advantages of Linux Managed Hosting--Without the Cost and Risk!
>>Fully trained technicians. The highest number of Red Hat certifications in
>>the hosting industry. Fanatical Support. Click to learn more
>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
>>_______________________________________________
>>Openca-Users mailing list
>>[email protected]
>>https://lists.sourceforge.net/lists/listinfo/openca-users
>>
>
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
