Hi I could not decrypt the pkcs7 with the signing key... probably i just could not find the right openssl commands. Anyway. I set up a simple CA/SCEP chain and now i am getting a little further. It looks like it stops when signing. Now i get the error:
SCEP Request failed without error code set - default to badRequest Any suggestions? Here the log: 2015/07/12 20:41:34 openxpki.system.ERROR:23958 [OpenXPKI::Crypto::CLI (437); scep-server-1()@6848] test show cmd: crl2pkcs7 -nocrl -outform DER -out /var/tmp/openxpki23958Vok7VsBh -certfile /var/tmp/openxpki23958Ng4TigfD -certfile /var/tmp/openxpki23958Wk361OXI 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: -print_msgtype -noout -inform DER -in /var/tmp/openxpki23964dFNi1MAX -out /var/tmp/openxpki23964Xdqp2q3U 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: -print_transid -noout -inform DER -in /var/tmp/openxpki23964ckH92moj -out /var/tmp/openxpki23964hu3GB99c 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Service::SCEP::Command::PKIOperation (/usr/lib/perl5/OpenXPKI/Service/SCEP/Command/PKIOperation.pm:274); scep-server-1()@f775] SCEP incoming request, id 77DB8DCE1EAF4B05921EB71BFECD5F43 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Service::SCEP::Command::PKIOperation (324); scep-server-1()@f775] SCEP try to start new workflow for 77DB8DCE1EAF4B05921EB71BFECD5F43 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: -print_req -noout -passin env:pwd -keyfile /etc/openxpki/ssl/ca-one/ca-one-scep-1.pem -in /var/tmp/openxpki239640OigxBX_ -out /var/tmp/openxpki23964h1LAy9JG 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: -print_scert -noout -passin env:pwd -keyfile /etc/openxpki/ssl/ca-one/ca-one-scep-1.pem -in /var/tmp/openxpki23964MATdz5Uv -out /var/tmp/openxpki23964YS8SPdE7 2015/07/12 20:41:35 openxpki.application.ERROR:23964 [OpenXPKI::Server::Workflow (702); scep-server-1()@f775] Workflow crashed during startup wont save! 2015/07/12 20:41:35 openxpki.application.ERROR:23964 [OpenXPKI::Server::Workflow (702); scep-server-1()@f775] Workflow crashed during startup wont save! 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_initialize on workflow #767 2015/07/12 20:41:35 openxpki.system.INFO:23964 [OpenXPKI::Server::Workflow::Persister::DBI (129); scep-server-1()@f775] Created workflow 767 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_extract_csr on workflow #767 2015/07/12 20:41:35 openxpki.application.WARN:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (/usr/lib/perl5/OpenXPKI/Server/Workflow/Activity/SCEPv2/ExtractCSR.pm:100); scep-server-1()@f775] SCEP csr key size is ok (rsaEncryption / 2048) 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (113); scep-server-1()@f775] SCEP csr hash type is ok (sha1) 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (190); scep-server-1()@f775] SCEP subject rendering enabled ( I18N_OPENXPKI_PROFILE_TLS_SERVER / enroll ) 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (249); scep-server-1()@f775] SCEP challenge password present on CSR subject: CN=,DC=Test Deployment,DC=OpenXPKI,DC=org 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: x509 -out /var/tmp/openxpki23964mUV8DPRz -in /var/tmp/openxpki23964SJeeOLHS -inform PEM -outform DER 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (288); scep-server-1()@f775] SCEP signer subject: unstructuredName=router1.test.local - is selfsign 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: smime -verify -inform PEM -in /var/tmp/openxpki23964w8TZKgrs -signer /var/tmp/openxpki23964OIR7abSb -noverify 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::ExtractCSR (357); scep-server-1()@f775] SCEP signature verified; CSR subject: CN=,DC=Test Deployment,DC=OpenXPKI,DC=org, Signer unstructuredName=router1.test.local 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_fetch_group_policy on workflow #767 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_eval_challenge on workflow #767 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateChallenge (84); scep-server-1()@f775] SCEP Challenge using compare validated 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_eval_signer_trust on workflow #767 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: x509 -out /var/tmp/openxpki23964GwY9S4tH -in /var/tmp/openxpki23964lO3Q7XZC -inform PEM -outform DER 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateSignerTrust (/usr/lib/perl5/OpenXPKI/Server/Workflow/Activity/SCEPv2/EvaluateSignerTrust.pm:114); scep-server-1()@f775] SCEP Signer validation FAILED 2015/07/12 20:41:35 openxpki.application.FATAL:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateSignerTrust (131); scep-server-1()@f775] SCEP Signer Authorization unknown / unknown / unstructuredName=router1.test.local 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateSignerTrust (189); scep-server-1()@f775] SCEP Signer not found in trust list (unstructuredName=router1.test.local). 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action scep_eval_eligibility on workflow #767 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateEligibility (102); scep-server-1()@f775] SCEP eligibility for initial enrollment granted 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Server::Workflow (129); scep-server-1()@f775] Execute action global_noop on workflow #767 2015/07/12 20:41:35 openxpki.application.INFO:23964 [OpenXPKI::Service::SCEP::Command::PKIOperation (420); scep-server-1()@f775] SCEP started new workflow with id 767, state FAILURE 2015/07/12 20:41:35 openxpki.application.ERROR:23964 [OpenXPKI::Service::SCEP::Command::PKIOperation (527); scep-server-1()@f775] SCEP Request failed without error code set - default to badRequest 2015/07/12 20:41:35 openxpki.system.ERROR:23964 [OpenXPKI::Crypto::CLI (437); scep-server-1()@f775] test show cmd: -new -passin env:pwd -signcert /var/tmp/openxpki23964HNxADuSR -msgtype CertRep -status FAILURE -failinfo badRequest -keyfile /etc/openxpki/ssl/ca-one/ca-one-scep-1.pem -inform DER -in /var/tmp/openxpki23964FFrFho0J -outform DER -out /var/tmp/openxpki239643c8NtoWb -sha1 Regards, Lukas On 10.07.2015 07:27, Oliver Welter wrote: > Hi Lukas, > > Am 10.07.2015 um 00:20 schrieb Lukas Habegger: >> >> It try to setup a scep auto-enroll environment for our cisco routers. >> >> I did a basic setup of openxpki and i am able to get the CA cert over >> scep but i can't get a cert >> >> In /var/openxpki/openxpki.log i get the error cannot decrypt request: >> >> ---------------------------------------------------------- >> >> 2015/07/09 23:43:26 openxpki.system.ERROR:15526 [OpenXPKI::Crypto::CLI >> (437); scep-server-1()@7f9e] test show cmd: crl2pkcs7 -nocrl -outform >> DER -out /var/tmp/openxpki15526UkPNsHrM -certfile >> /var/tmp/openxpki15526gM6Qyd39 -certfile /var/tmp/openxpki155264JL3FgaB >> -certfile /var/tmp/openxpki15526aqpi2m2k >> > > > This means that OpenXPKI is not able to unwrap the SCEP transport container - > check if your key file of the scep token is named properly, readable and is > unlocked (password set in config or entered on the UI). > > If this is ok, did you set up a "complex" CA/RA/SCEP chain or did you use the > default settings provided? We had problems with cisco routers when the CA > cert and issuer are not under the same root - to test this, extract the pkcs7 > from the workflow and try to decrpt it using the ca signing key. > > Oliver > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
