Re: [OpenXPKI-users] EST Server Support

[Oliver Welter]

Hi James,

glad to hear its working now - I already made commits on the code and 
config repository (develop branches) to fix the issues, so the next 
release should work out of the box. If you don't want to wait - the 
Dockerfile to make the container is also in the repository so it should 
be easy to make an interim image.

Merry christmas

Oliver

Am 24.12.19 um 12:00 schrieb James Gibson:
Hi Oliver,

Thanks for your help, I have now managed to get the EST Server to issue 
certificates using TLS for client authentication.

Further configuration and testing of EST will now be performed to 
confirm EST will meet our requirements.

It would be good to get the Docker container to the point where EST can 
be used with it without any configuration, please let me know if you 
would like any help incorporating the changes to make this happen.


James


On 21 Dec 2019, at 08:05, Oliver Welter <m...@oliwel.de 
<mailto:m...@oliwel.de>> wrote:

Hi James,

I dont know if you saw my reply
https://sourceforge.net/p/openxpki/mailman/message/36883604/

The EST Workflow is the same as the SCEP one which is documented
somewhat detailed here
https://openxpki.readthedocs.io/en/latest/reference/configuration/workflows/scep.html

Create a file est/default.yaml from the config example given there and
it should work.

Oliver

Am 20.12.19 um 16:56 schrieb James Gibson:

I have manage to make a bit more progress, I found that the
`cert_profile` and `cert_subject_style` variables are not being set in
the workflow, so these have been set in the est.fcgi script.

$param->{'cert_profile’} = ’tls_server’
$param->{‘cert_subject_style’} = ’00_basic_style’

The request is then processed correctly, but the request is not approved
so returns HTTP 503, and logs "Request Pending - INITIAL”

When I log in as the operator there are no pending request or any record
of that workflow_id

Thanks,
James



On 20 Dec 2019, at 12:07, James Gibson <james.gib...@bbc.co.uk 
<mailto:james.gib...@bbc.co.uk>
<mailto:james.gib...@bbc.co.uk>> wrote:


Hi,

I am trying to setup OpenXPKI as an EST Server for a project.

I have an instance of OpenXPKI running using the Docker Compose
https://github.com/openxpki/openxpki-docker, that can correctly issue
certificates using the WebUI.
It also correctly returns the Root Certificate Authority when the EST
`/cacerts` endpoint is used, thanks to Oliver Welter for their help
getting that working by changing the file permissions of the log
directory.

However when I try to request a certificate using the `/simpleenroll`
endpoint and TLS Authentication, the EST server returns an HTTP 500 -
Internal Server Error response. In the logs the only information is
that an exceptions has been raised but not what has caused it.

This is the request I am sending:
curl https://<hostname>/.well-known/est/simpleenroll --cacert
./OpenXPKI_Root_CA.crt --key pkiclient.key --cert client.crt
--data-binary @req.p10 -H "Content-Type: application/pkcs10" -o cert.p7

And the debug log from EST, with confidential information removed
“<example>”:
2019/12/20 11:55:06 DEBUG:177 Incoming request
/.well-known/est/simpleenroll
2019/12/20 11:55:06 DEBUG:177 calling context is https
2019/12/20 11:55:06 INFO:177 EST authenticated client DN:
CN=<example>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 11:55:06 DEBUG:177 Initialize client
2019/12/20 11:55:06 DEBUG:177 Started volatile session with id:
OXgmVXKLS+SV//PCKZuRig==
2019/12/20 11:55:06 DEBUG:177 Selecting auth stack _System
2019/12/20 11:55:11 DEBUG:177 Workflow created (ID: 9215), State: PARSED
2019/12/20 11:55:11 TRACE:177 Result of workflow action: $VAR1 = {
         'workflow' => {
                         'label' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
                         'state' => 'PARSED',
                         'reap_at' => 1576843209,
                         'title' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_LABEL',
                         'proc_state' => 'exception',
                         'type' => 'certificate_enroll',
                         'last_update' => '2019-12-20T11:55:10',
                         'context' => {
                                        'req_extensions' => {},
                                        'csr_subject' =>
'emailAddress=d...@d.com <mailto:emailAddress=d...@d.com>
<mailto:emailAddress=d...@d.com>,CN=d.d.c,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU',
                                        'workflow_id' => '9215',
                                        'signer_cert' => '-----BEGIN
CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
                                        'cert_info' => '',
                                        'transaction_id' =>
'e2034e3aff35d8b893e497e354d51b2551de2272',
                                        'server' => 'default',
                                        'cert_subject_alt_name' => '',
                                        'csr_digest_alg' => 'sha256',
                                        'req_attributes' => {},
                                        'wf_current_action' =>
'enroll_render_subject',
                                        'csr_key_params' => {
                                                              'key_length'
=> 256,
                                                              'curve_name'
=> 'secp256r1'
                                                            },
                                        'creator' => 'anonymous',
                                        'cert_san_parts' => '',
                                        'interface' => 'est',
                                        'wf_exception' =>
'I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_RENDER_SUBJECT_NO_PROFILE',
                                        'csr_key_alg' => 'ec',
                                        'csr_subject_key_identifier'
=> '7D:7E:F2:00:2F:C7:ED:0E:AB:4A:87:F6:A7:37:BF:66:33:C4:10:43',
                                        'cert_subject_parts' =>
'OXJSF1:{"EMAILADDRESS":["d...@d.com <mailto:d...@d.com>
<mailto:d...@d.com>"],"CN":["d.d.c"],"C":["AU"],"O":["Internet Widgits
Pty Ltd"],"ST":["Some-State"]}',
                                        'sources' =>
'OXJSF1:{"req_attributes":"PKCS10","req_extensions":"PKCS10","cert_subject_parts":"PKCS10","signer_cert":"api","server":"api","transaction_id":"api","interface":"api","pkcs10":"api"}',
                                        'pkcs10' => '-----BEGIN
CERTIFICATE REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
'
                                      },
                         'description' =>
'I18N_OPENXPKI_UI_WORKFLOW_TYPE_CERT_ENROLL_DESC',
                         'wake_up_at' => undef,
                         'count_try' => 0,
                         'id' => 9215
                       }
       };
2019/12/20 11:55:11 INFO:177 Started new workflow 9215
2019/12/20 11:55:11 TRACE:177 Workflow Params $VAR1 = {
         'signer_cert' => '-----BEGIN CERTIFICATE-----
<example>
-----END CERTIFICATE-----
',
         'pkcs10' => '-----BEGIN CERTIFICATE REQUEST-----
<example>
-----END CERTIFICATE REQUEST-----
',
         'server' => 'default',
         'transaction_id' => 'e2034e3aff35d8b893e497e354d51b2551de2272',
         'interface' => 'est'
       };
2019/12/20 11:55:11 ERROR:177 Internal Server Error
2019/12/20 11:55:11 INFO:177 Disconnect client


When this CSR is submitted using the OpenXPKI WebUI the request is
successfully, after entering the required requester information in the
interface.

Any help in working out why this request is failing would be much
appreciated.
Is there anything I need to configure to control who is authorised to
issue certificates using the EST endpoint?

Also is there any support for the `/simplerenroll` endpoint in
OpenXPKI? This endpoint returns even less debug when called:
2019/12/20 12:04:13 DEBUG:177 Incoming request
/.well-known/est/simplereenroll
2019/12/20 12:04:13 DEBUG:177 calling context is https
2019/12/20 12:04:13 INFO:177 EST authenticated client DN:
CN=<exmple>:pkiclient,DC=Test Deployment,DC=OpenXPKI,DC=org
2019/12/20 12:04:13 TRACE:177
2019/12/20 12:04:13 INFO:177 Disconnect client
2019/12/20 12:04:13 DEBUG:177 Initialize client
2019/12/20 12:04:13 DEBUG:177 Started volatile session with id:
nLpBtGmFSzy5Yt+91ryfkA==
2019/12/20 12:04:13 DEBUG:177 Selecting auth stack _System







_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net 
<mailto:OpenXPKI-users@lists.sourceforge.net>
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net 
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net 
<mailto:OpenXPKI-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openxpki-users



_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



--
Protect your environment -  close windows and adopt a penguin!


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users