Hi James, I dont know if you saw my reply https://sourceforge.net/p/openxpki/mailman/message/36883604/
The EST Workflow is the same as the SCEP one which is documented somewhat detailed here https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html Create a file est/default.yaml from the config example given there and it should work. Oliver Am 20.12.19 um 16:56 schrieb James Gibson: > > I have manage to make a bit more progress, I found that the > `cert_profile` and `cert_subject_style` variables are not being set in > the workflow, so these have been set in the est.fcgi script. > > $param->{'cert_profile’} = ’tls_server’ > $param->{‘cert_subject_style’} = ’00_basic_style’ > > The request is then processed correctly, but the request is not approved > so returns HTTP 503, and logs "Request Pending - INITIAL” > > When I log in as the operator there are no pending request or any record > of that workflow_id > > Thanks, > James > > > >> On 20 Dec 2019, at 12:07, James Gibson <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> Hi, >> >> I am trying to setup OpenXPKI as an EST Server for a project. >> >> I have an instance of OpenXPKI running using the Docker Compose >> https://github.com/openxpki/openxpki-docker, that can correctly issue >> certificates using the WebUI. >> It also correctly returns the Root Certificate Authority when the EST >> `/cacerts` endpoint is used, thanks to Oliver Welter for their help >> getting that working by changing the file permissions of the log >> directory. >> >> However when I try to request a certificate using the `/simpleenroll` >> endpoint and TLS Authentication, the EST server returns an HTTP 500 - >> Internal Server Error response. In the logs the only information is >> that an exceptions has been raised but not what has caused it. >> >> This is the request I am sending: >> curl https://<hostname>/.well-known/est/simpleenroll --cacert >> ./OpenXPKI_Root_CA.crt --key pkiclient.key --cert client.crt >> --data-binary @req.p10 -H "Content-Type: application/pkcs10" -o cert.p7 >> >> And the debug log from EST, with confidential information removed >> “<example>”: >> 2019/12/20 11:55:06 DEBUG:177 Incoming request >> /.well-known/est/simpleenroll >> 2019/12/20 11:55:06 DEBUG:177 calling context is https >> 2019/12/20 11:55:06 INFO:177 EST authenticated client DN: >> CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org >> 2019/12/20 11:55:06 DEBUG:177 Initialize client >> 2019/12/20 11:55:06 DEBUG:177 Started volatile session with id: >> OXgmVXKLS+SV//PCKZuRig== >> 2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System >> 2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED >> 2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = { >> 'workflow' => { >> 'label' => >> 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', >> 'state' => 'PARSED', >> 'reap_at' => 1576843209, >> 'title' => >> 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', >> 'proc_state' => 'exception', >> 'type' => 'certificate_enroll', >> 'last_update' => '2019-12-20T11:55:10', >> 'context' => { >> 'req_extensions' => {}, >> 'csr_subject' => >> '[email protected] >> <mailto:[email protected]>,CN=d.d.c,O=Internet Widgits Pty >> Ltd,ST=Some-State,C=AU', >> 'workflow_id' => '9215', >> 'signer_cert' => '-----BEGIN >> CERTIFICATE----- >> <example> >> -----END CERTIFICATE----- >> ', >> 'cert_info' => '', >> 'transaction_id' => >> 'e2034e3aff35d8b893e497e354d51b2551de2272', >> 'server' => 'default', >> 'cert_subject_alt_name' => '', >> 'csr_digest_alg' => 'sha256', >> 'req_attributes' => {}, >> 'wf_current_action' => >> 'enroll_render_subject', >> 'csr_key_params' => { >> 'key_length' >> => 256, >> 'curve_name' >> => 'secp256r1' >> }, >> 'creator' => 'anonymous', >> 'cert_san_parts' => '', >> 'interface' => 'est', >> 'wf_exception' => >> 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE', >> 'csr_key_alg' => 'ec', >> 'csr_subject_key_identifier' >> => '7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43', >> 'cert_subject_parts' => >> 'OXJSF1:{"EMAILADDRESS":["[email protected] >> <mailto:[email protected]>"],"CN":["d.d.c"],"C":["AU"],"O":["Internet Widgits >> Pty Ltd"],"ST":["Some-State"]}', >> 'sources' => >> 'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}', >> 'pkcs10' => '-----BEGIN >> CERTIFICATE REQUEST----- >> <example> >> -----END CERTIFICATE REQUEST----- >> ' >> }, >> 'description' => >> 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC', >> 'wake_up_at' => undef, >> 'count_try' => 0, >> 'id' => 9215 >> } >> }; >> 2019/12/20 11:55:11 INFO:177 Started new workflow 9215 >> 2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = { >> 'signer_cert' => '-----BEGIN CERTIFICATE----- >> <example> >> -----END CERTIFICATE----- >> ', >> 'pkcs10' => '-----BEGIN CERTIFICATE REQUEST----- >> <example> >> -----END CERTIFICATE REQUEST----- >> ', >> 'server' => 'default', >> 'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272', >> 'interface' => 'est' >> }; >> 2019/12/20 11:55:11 ERROR:177 Internal Server Error >> 2019/12/20 11:55:11 INFO:177 Disconnect client >> >> >> When this CSR is submitted using the OpenXPKI WebUI the request is >> successfully, after entering the required requester information in the >> interface. >> >> Any help in working out why this request is failing would be much >> appreciated. >> Is there anything I need to configure to control who is authorised to >> issue certificates using the EST endpoint? >> >> Also is there any support for the `/simplerenroll` endpoint in >> OpenXPKI? This endpoint returns even less debug when called: >> 2019/12/20 12:04:13 DEBUG:177 Incoming request >> /.well-known/est/simplereenroll >> 2019/12/20 12:04:13 DEBUG:177 calling context is https >> 2019/12/20 12:04:13 INFO:177 EST authenticated client DN: >> CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org >> 2019/12/20 12:04:13 TRACE:177 >> 2019/12/20 12:04:13 INFO:177 Disconnect client >> 2019/12/20 12:04:13 DEBUG:177 Initialize client >> 2019/12/20 12:04:13 DEBUG:177 Started volatile session with id: >> nLpBtGmFSzy5Yt+91ryfkA== >> 2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System >> >> >> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
