Hi Oliver, Thanks for your help, I have now managed to get the EST Server to issue certificates using TLS for client authentication.
Further configuration and testing of EST will now be performed to confirm EST will meet our requirements. It would be good to get the Docker container to the point where EST can be used with it without any configuration, please let me know if you would like any help incorporating the changes to make this happen. James On 21 Dec 2019, at 08:05, Oliver Welter <[email protected]<mailto:[email protected]>> wrote: Hi James, I dont know if you saw my reply https://sourceforge.net/p/openxpki/mailman/message/36883604/ The EST Workflow is the same as the SCEP one which is documented somewhat detailed here https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html Create a file est/default.yaml from the config example given there and it should work. Oliver Am 20.12.19 um 16:56 schrieb James Gibson: I have manage to make a bit more progress, I found that the `cert_profile` and `cert_subject_style` variables are not being set in the workflow, so these have been set in the est.fcgi script. $param->{'cert_profile’} = ’tls_server’ $param->{‘cert_subject_style’} = ’00_basic_style’ The request is then processed correctly, but the request is not approved so returns HTTP 503, and logs "Request Pending - INITIAL” When I log in as the operator there are no pending request or any record of that workflow_id Thanks, James On 20 Dec 2019, at 12:07, James Gibson <[email protected]<mailto:[email protected]> <mailto:[email protected]>> wrote: Hi, I am trying to setup OpenXPKI as an EST Server for a project. I have an instance of OpenXPKI running using the Docker Compose https://github.com/openxpki/openxpki-docker, that can correctly issue certificates using the WebUI. It also correctly returns the Root Certificate Authority when the EST `/cacerts` endpoint is used, thanks to Oliver Welter for their help getting that working by changing the file permissions of the log directory. However when I try to request a certificate using the `/simpleenroll` endpoint and TLS Authentication, the EST server returns an HTTP 500 - Internal Server Error response. In the logs the only information is that an exceptions has been raised but not what has caused it. This is the request I am sending: curl https://<hostname>/.well-known/est/simpleenroll --cacert ./OpenXPKI_Root_CA.crt --key pkiclient.key --cert client.crt --data-binary @req.p10 -H "Content-Type: application/pkcs10" -o cert.p7 And the debug log from EST, with confidential information removed “<example>”: 2019/12/20 11:55:06 DEBUG:177 Incoming request /.well-known/est/simpleenroll 2019/12/20 11:55:06 DEBUG:177 calling context is https 2019/12/20 11:55:06 INFO:177 EST authenticated client DN: CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org 2019/12/20 11:55:06 DEBUG:177 Initialize client 2019/12/20 11:55:06 DEBUG:177 Started volatile session with id: OXgmVXKLS+SV//PCKZuRig== 2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System 2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED 2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = { 'workflow' => { 'label' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'state' => 'PARSED', 'reap_at' => 1576843209, 'title' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL', 'proc_state' => 'exception', 'type' => 'certificate_enroll', 'last_update' => '2019-12-20T11:55:10', 'context' => { 'req_extensions' => {}, 'csr_subject' => '[email protected]<mailto:[email protected]> <mailto:[email protected]>,CN=d.d.c,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU', 'workflow_id' => '9215', 'signer_cert' => '-----BEGIN CERTIFICATE----- <example> -----END CERTIFICATE----- ', 'cert_info' => '', 'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272', 'server' => 'default', 'cert_subject_alt_name' => '', 'csr_digest_alg' => 'sha256', 'req_attributes' => {}, 'wf_current_action' => 'enroll_render_subject', 'csr_key_params' => { 'key_length' => 256, 'curve_name' => 'secp256r1' }, 'creator' => 'anonymous', 'cert_san_parts' => '', 'interface' => 'est', 'wf_exception' => 'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE', 'csr_key_alg' => 'ec', 'csr_subject_key_identifier' => '7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43', 'cert_subject_parts' => 'OXJSF1:{"EMAILADDRESS":["[email protected]<mailto:[email protected]> <mailto:[email protected]>"],"CN":["d.d.c"],"C":["AU"],"O":["Internet Widgits Pty Ltd"],"ST":["Some-State"]}', 'sources' => 'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}', 'pkcs10' => '-----BEGIN CERTIFICATE REQUEST----- <example> -----END CERTIFICATE REQUEST----- ' }, 'description' => 'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC', 'wake_up_at' => undef, 'count_try' => 0, 'id' => 9215 } }; 2019/12/20 11:55:11 INFO:177 Started new workflow 9215 2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = { 'signer_cert' => '-----BEGIN CERTIFICATE----- <example> -----END CERTIFICATE----- ', 'pkcs10' => '-----BEGIN CERTIFICATE REQUEST----- <example> -----END CERTIFICATE REQUEST----- ', 'server' => 'default', 'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272', 'interface' => 'est' }; 2019/12/20 11:55:11 ERROR:177 Internal Server Error 2019/12/20 11:55:11 INFO:177 Disconnect client When this CSR is submitted using the OpenXPKI WebUI the request is successfully, after entering the required requester information in the interface. Any help in working out why this request is failing would be much appreciated. Is there anything I need to configure to control who is authorised to issue certificates using the EST endpoint? Also is there any support for the `/simplerenroll` endpoint in OpenXPKI? This endpoint returns even less debug when called: 2019/12/20 12:04:13 DEBUG:177 Incoming request /.well-known/est/simplereenroll 2019/12/20 12:04:13 DEBUG:177 calling context is https 2019/12/20 12:04:13 INFO:177 EST authenticated client DN: CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org 2019/12/20 12:04:13 TRACE:177 2019/12/20 12:04:13 INFO:177 Disconnect client 2019/12/20 12:04:13 DEBUG:177 Initialize client 2019/12/20 12:04:13 DEBUG:177 Started volatile session with id: nLpBtGmFSzy5Yt+91ryfkA== 2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
