Hi Jeff, sounds like your enrollment workflow takes to long to finish and blocks the client. E.g. broken backend lookups, poor database performance...
Oliver Am 22.04.20 um 15:05 schrieb Jefferson Dümes: > Hi people, > > every first attempt to ask OpenXPKI to sign a cert via EST I get a > "Internal Server Error" and est.log shows this: > > 2020/04/22 11:01:52 DEBUG:82 Incoming request /.well-known/est/simpleenroll > 2020/04/22 11:01:52 DEBUG:82 calling context is https > 2020/04/22 11:01:52 INFO:82 EST authenticated client DN: > CN=mar:pkiclient,O=MyOrg > 2020/04/22 11:01:52 DEBUG:82 Initialize client > 2020/04/22 11:01:53 DEBUG:82 Started volatile session with id: > IHuKcV75QJOOFxviXrVFfA== > 2020/04/22 11:01:53 DEBUG:82 Selecting auth stack _System > 2020/04/22 11:02:24 INFO:82 Started new workflow > 2020/04/22 11:02:24 ERROR:82 I18N_OPENXPKI_CLIENT_COLLECT_TIMEOUT > 2020/04/22 11:02:24 INFO:82 Disconnect client > > Notice: a lag of about 30 secs between "Selecting auth stack _System" > and "Started new workflow" > > Then I send the same request and I get the cert as expected with this in > est.log > > 2020/04/22 11:06:45 DEBUG:83 Config for service est loaded > 2020/04/22 11:06:45 INFO:83 EST handler initialized > 2020/04/22 11:06:45 DEBUG:83 Incoming request /.well-known/est/simpleenroll > 2020/04/22 11:06:45 DEBUG:83 calling context is https > 2020/04/22 11:06:45 INFO:83 EST authenticated client DN: > CN=mar:pkiclient,O=MyOrg > 2020/04/22 11:06:45 DEBUG:83 Initialize client > 2020/04/22 11:06:45 DEBUG:83 Started volatile session with id: > irR/wxjJRZ2DJRVHolXs6g== > 2020/04/22 11:06:45 DEBUG:83 Selecting auth stack _System > 2020/04/22 11:06:45 INFO:83 Found workflow - reload 20735 > 2020/04/22 11:06:45 DEBUG:83 request for workflow info on 20735 > 2020/04/22 11:06:45 DEBUG:83 Sending cert TNQt2_XXwwn7pXHrykj9Gb09_Ys > 2020/04/22 11:06:45 INFO:83 Disconnect client > > This is my default.yaml in config.d/realm/myorg/est > > label: Enrollment > > authorized_signer: > rule1: > # Full DN > subject: CN=.+:scepclient,.* > rule2: > # Full DN > subject: CN=.+:pkiclient,.* > > renewal_period: 000060 > > # You must set at least one of both options or remove the is_policy_loaded > # condition in the workflow definition > policy: > allow_man_authen: 0 > allow_man_approv: 0 > max_active_certs: 0 > auto_revoke_existing_certs: 1 > approval_points: 1 > export_certificate: chain > > profile: > cert_profile: tls_server > cert_subject_style: enroll > > > eligible: > initial: > value: 1 > > renewal: > value: 1 > > onbehalf: > value: 1 > > Adding "-connect-timeout 60" or "--max-time 60" or both didn't help at all. > > Regards, > Jeff > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
