I have manage to make a bit more progress, I found that the `cert_profile` and
`cert_subject_style` variables are not being set in the workflow, so these have
been set in the est.fcgi script.
$param->{'cert_profile’} = ’tls_server’
$param->{‘cert_subject_style’} = ’00_basic_style’
The request is then processed correctly, but the request is not approved so
returns HTTP 503, and logs "Request Pending - INITIAL”
When I log in as the operator there are no pending request or any record of
that workflow_id
Thanks,
James
On 20 Dec 2019, at 12:07, James Gibson
<[email protected]<mailto:[email protected]>> wrote:
Hi,
I am trying to setup OpenXPKI as an EST Server for a project.
I have an instance of OpenXPKI running using the Docker Compose
https://github.com/openxpki/openxpki-docker, that can correctly issue
certificates using the WebUI.
It also correctly returns the Root Certificate Authority when the EST
`/cacerts` endpoint is used, thanks to Oliver Welter for their help getting
that working by changing the file permissions of the log directory.
However when I try to request a certificate using the `/simpleenroll` endpoint
and TLS Authentication, the EST server returns an HTTP 500 - Internal Server
Error response. In the logs the only information is that an exceptions has been
raised but not what has caused it.
This is the request I am sending:
curl https://<hostname>/.well-known/est/simpleenroll --cacert
./OpenXPKI_Root_CA.crt --key pkiclient.key --cert client.crt --data-binary
@req.p10 -H "Content-Type: application/pkcs10" -o cert.p7
And the debug log from EST, with confidential information removed “<example>”:
2019/12/20 11:55:06 DEBUG:177 Incoming request /.well-known/est/simpleenroll
2019/12/20 11:55:06 DEBUG:177 calling context is https
2019/12/20 11:55:06 INFO:177 EST authenticated client DN:
CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 11:55:06 DEBUG:177 Initialize client
2019/12/20 11:55:06 DEBUG:177 Started volatile session with id:
OXgmVXKLS+SV//PCKZuRig==
2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System
2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED
2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = {
'workflow' => {
'label' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
'state' => 'PARSED',
'reap_at' => 1576843209,
'title' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
'proc_state' => 'exception',
'type' => 'certificate_enroll',
'last_update' => '2019-12-20T11:55:10',
'context' => {
'req_extensions' => {},
'csr_subject' =>
'[email protected]<mailto:[email protected]>,CN=d.d.c,O=Internet
Widgits Pty Ltd,ST=Some-State,C=AU',
'workflow_id' => '9215',
'signer_cert' => '-----BEGIN
CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
'cert_info' => '',
'transaction_id' =>
'e2034e3aff35d8b893e497e354d51b2551de2272',
'server' => 'default',
'cert_subject_alt_name' => '',
'csr_digest_alg' => 'sha256',
'req_attributes' => {},
'wf_current_action' =>
'enroll_render_subject',
'csr_key_params' => {
'key_length' =>
256,
'curve_name' =>
'secp256r1'
},
'creator' => 'anonymous',
'cert_san_parts' => '',
'interface' => 'est',
'wf_exception' =>
'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE',
'csr_key_alg' => 'ec',
'csr_subject_key_identifier' =>
'7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43',
'cert_subject_parts' =>
'OXJSF1:{"EMAILADDRESS":["[email protected]<mailto:[email protected]>"],"CN":["d.d.c"],"C":["AU"],"O":["Internet
Widgits Pty Ltd"],"ST":["Some-State"]}',
'sources' =>
'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}',
'pkcs10' => '-----BEGIN CERTIFICATE
REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
'
},
'description' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC',
'wake_up_at' => undef,
'count_try' => 0,
'id' => 9215
}
};
2019/12/20 11:55:11 INFO:177 Started new workflow 9215
2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = {
'signer_cert' => '-----BEGIN CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
'pkcs10' => '-----BEGIN CERTIFICATE REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
',
'server' => 'default',
'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272',
'interface' => 'est'
};
2019/12/20 11:55:11 ERROR:177 Internal Server Error
2019/12/20 11:55:11 INFO:177 Disconnect client
When this CSR is submitted using the OpenXPKI WebUI the request is
successfully, after entering the required requester information in the
interface.
Any help in working out why this request is failing would be much appreciated.
Is there anything I need to configure to control who is authorised to issue
certificates using the EST endpoint?
Also is there any support for the `/simplerenroll` endpoint in OpenXPKI? This
endpoint returns even less debug when called:
2019/12/20 12:04:13 DEBUG:177 Incoming request /.well-known/est/simplereenroll
2019/12/20 12:04:13 DEBUG:177 calling context is https
2019/12/20 12:04:13 INFO:177 EST authenticated client DN:
CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 12:04:13 TRACE:177
2019/12/20 12:04:13 INFO:177 Disconnect client
2019/12/20 12:04:13 DEBUG:177 Initialize client
2019/12/20 12:04:13 DEBUG:177 Started volatile session with id:
nLpBtGmFSzy5Yt+91ryfkA==
2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
