Hi Christophe, the config looks good from my POV
a) check the permissions of the realm directory. b) if you set a different password for the keys you need to adjust the secrets section Try to read the keys as user openxpki with the password "root" - if this does not work its a permission problem. Oliver Am 05.06.20 um 18:13 schrieb Christophe Baegert: > Hi, > > > I've just set up my own CA and installed OpenXPKI 3.4.0 on Debian 10. > But I have warnings on the homepage, a "backend error" when validating a > cert request and another error "unable to load signing key file" in > openxpki.log. Any idea ? > > > WebUI : > > Your system status is critical! > > No CRL found! (that's true) > > Active Encryption Token not available (vault-1) > > System Version 3.4.0 > Hostname openxpki > Config Version api 3.2 commit 0e4104 config 3.2 > > Tokens of type certsign > > Token Alias Certificate Identifier Token Status not before not after > ca-signer-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx OFFLINE 2020-06-05 11:19:23 > UTC 2022-06-05 11:19:23 UTC > > Tokens of type datasafe > > Token Alias Certificate Identifier Token Status not before not after > vault-1 yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy OFFLINE 2020-06-05 10:20:01 UTC > 2030-06-08 10:20:01 UTC > > And it can't generate any cert (backend communication error) > > > This is the content of the openxpki.log > > 2020/06/05 17:08:41 ERROR OpenSSL error: > 139975404565632:error:08064066:object identifier routines:OBJ_create:oid > exists:../crypto/objects/obj_dat.c:709: > > unable to load signing key file > > 139975404565632:error:0D0AE0AB:asn1 encoding > routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: > > 139975404565632:error:0E07606D:configuration file > routines:module_run:module initialization > error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, > retcode=-1 > > 139975404565632:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > > 139975404565632:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > > 139975404565632:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > > 139975404565632:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > > [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ > => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR OpenSSL error: > 140605842875520:error:08064066:object identifier routines:OBJ_create:oid > exists:../crypto/objects/obj_dat.c:709: > > unable to load signing key file > > 140605842875520:error:0D0AE0AB:asn1 encoding > routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: > > 140605842875520:error:0E07606D:configuration file > routines:module_run:module initialization > error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, > retcode=-1 > > 140605842875520:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > > 140605842875520:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > > 140605842875520:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > > 140605842875520:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > > [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 512 [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR OpenSSL error: > 139968748442752:error:08064066:object identifier routines:OBJ_create:oid > exists:../crypto/objects/obj_dat.c:709: > > unable to load signing key file > > 139968748442752:error:0D0AE0AB:asn1 encoding > routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: > > 139968748442752:error:0E07606D:configuration file > routines:module_run:module initialization > error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, > retcode=-1 > > 139968748442752:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > > 139968748442752:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > > 139968748442752:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > > 139968748442752:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 > lib:../crypto/pem/pem_pkey.c:88: > > [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 [pid=16833|sid=8MLl] > > 2020/06/05 17:08:41 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ > => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > [pid=16833|sid=8MLl] > > This the content of my realm directory > > root@openxpki:/etc/openxpki/ca# ls -lsrtd myownrealm/* > > 0 lrwxrwxrwx 1 root root 42 mai 18 15:17 myownrealm/scep-1.pem > -> /etc/openxpki/ca/myownrealm/MYCOMPANY_SCEP_RA.key > > 0 lrwxrwxrwx 1 root root 45 mai 18 15:17 > myownrealm/ca-signer-1.pem -> > /etc/openxpki/ca/myownrealm/MYCOMPANY_Issuing_CA.key > > 4 -r--r--r-- 1 root openxpki 1192 juin 5 12:13 > myownrealm/MYCOMPANY_Root_CA.crt > > 4 -r--r----- 1 root openxpki 1766 juin 5 12:13 > myownrealm/MYCOMPANY_Root_CA.key > > 4 -r--r----- 1 root openxpki 19 juin 5 12:19 > myownrealm/MYCOMPANY_Issuing_CA.pass > > 4 -r--r----- 1 root openxpki 3414 juin 5 12:20 > myownrealm/MYCOMPANY_Issuing_CA.key > > 4 -rw-r--r-- 1 root root 1752 juin 5 12:20 > myownrealm/MYCOMPANY_Issuing_CA.csr > > 4 -r--r----- 1 root openxpki 19 juin 5 12:20 > myownrealm/MYCOMPANY_DataVault.pass > > 4 -r--r----- 1 root openxpki 3422 juin 5 12:20 > myownrealm/MYCOMPANY_DataVault.key > > 4 -r--r----- 1 root openxpki 19 juin 5 12:20 > myownrealm/MYCOMPANY_SCEP_RA.pass > > 4 -r--r--r-- 1 root openxpki 1870 juin 5 12:20 > myownrealm/MYCOMPANY_DataVault.crt > > 4 -r--r----- 1 root openxpki 3422 juin 5 12:20 > myownrealm/MYCOMPANY_SCEP_RA.key > > 4 -rw-r--r-- 1 root root 1671 juin 5 12:20 > myownrealm/MYCOMPANY_SCEP_RA.csr > > 4 -r--r----- 1 root openxpki 19 juin 5 12:20 > myownrealm/MYCOMPANY_WebUI.pass > > 4 -rw-r--r-- 1 root root 1724 juin 5 12:20 > myownrealm/MYCOMPANY_WebUI.csr > > 4 -r--r----- 1 root root 3414 juin 5 12:32 > myownrealm/MYCOMPANY_WebUI.key.bak > > 4 -r--r----- 1 root openxpki 3243 juin 5 12:33 > myownrealm/MYCOMPANY_WebUI.key > > 4 -rw-r--r-- 1 root root 1346 juin 5 12:33 > myownrealm/MYCOMPANY_WebUI.crt > > 4 -rw-r--r-- 1 root root 41 juin 5 13:19 > myownrealm/MYCOMPANY_Root_CA.srl > > 4 -rw-r--r-- 1 root root 1424 juin 5 13:19 > myownrealm/MYCOMPANY_Issuing_CA.crt > > 0 lrwxrwxrwx 1 root root 44 juin 5 13:32 myownrealm/vault-1.pem > -> /etc/openxpki/ca/myownrealm/MYCOMPANY_DataVault.key > > 4 -rw-r--r-- 1 root root 33 juin 5 16:49 > myownrealm/MYCOMPANY_Root_CA.pass > > > This is my realm conf file (crypto.yaml) : > > #Sample Mockup Config for Token config of a single realm > > # The left side are fixed aliases used in the code, the right side > > # are aribtrary chosen names, referencing the tokens below. > > type: > > certsign: ca-signer > > datasafe: vault > > scep: scep > > # The actual token setup, based on current token.xml > > token: > > default: > > backend: OpenXPKI::Crypto::Backend::OpenSSL > > # Template to create key, available vars are > > # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) > > key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem > > # possible values are OpenSSL, nCipher, LunaCA > > engine: OpenSSL > > engine_section: '' > > engine_usage: '' > > key_store: OPENXPKI > > # OpenSSL binary location > > shell: /usr/bin/openssl > > # OpenSSL binary call gets wrapped with this command > > wrapper: '' > > # random file to use for OpenSSL > > randfile: /var/openxpki/rand > > # Default value for import, recorded in database, can be overriden > > secret: default > > ca-signer: > > inherit: default > > vault: > > inherit: default > > #key: /etc/openxpki/ca/[% ALIAS %].pem > > scep: > > inherit: default > > backend: OpenXPKI::Crypto::Tool::LibSCEP > > # A different scep token for another scep server, served from datapool > > #scep-altra: > > # inherit: ca-scep > > # key_store: DATAPOOL > > # key: "[% ALIAS %]" > > # Define the secret groups > > secret: > > default: > > label: Default secret group of this realm > > export: 0 > > method: literal > > value: root > > # if you want to enter the password after startup via the Webui > > # replace method and value aboev with this block, kcv is optional > > # but highly recommended as wrong passwords let the engine crash > > # you can generate the kcv with "openxpkiadm hashpwd -s argon2" > > #method: plain > > #cache: daemon > > #kcv: > $argon2id$v=19$m=32768,t=3,p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > > > Thank you for your help > > Regards, > > Christophe > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
