Hey OpenXPKI team
I'm having a hard time with this install... I'm also wondering if there are
more up-to-date docs maybe? I'm following the quickstart and realm guides
linked on the website, but perhaps they are old?
Here's the problem - I cannot get the vault and ca-signer to work.
my logs:
OpenXPKI Server is running and accepting requests.
DONE.
unable to load signing key file
[pid=14740|sid=xKLQ]
2020/11/07 20:21:36 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__EXIT_STATUS__ => 512 [pid=14740|sid=xKLQ]
2020/11/07 20:21:36 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__
=> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
[pid=14740|sid=xKLQ]
2020/11/07 20:21:36 ERROR
I18N_OPENXPKI_CRYPTO_TOKENMANAGER_LOAD_SECRET_WRONG_METHOD; __GROUP__ =>
default, __METHOD__ => EMPTY, __REALM__ => dzsec [pid=14740|sid=xKLQ]
2020/11/07 20:21:58 INFO Loaded auth handler dzop [pid=14765|]
2020/11/07 20:21:58 INFO Loaded auth handler TestAccounts [pid=14765|]
2020/11/07 20:21:58 INFO Loaded auth handler dzlogin [pid=14765|]
2020/11/07 20:21:58 INFO Loaded auth handler dzra [pid=14765|]
2020/11/07 20:21:58 INFO Loaded auth handler dzadmin [pid=14765|]
2020/11/07 20:22:11 ERROR
I18N_OPENXPKI_CRYPTO_TOKENMANAGER_LOAD_SECRET_WRONG_METHOD; __GROUP__ =>
default, __METHOD__ => EMPTY, __REALM__ => dzsec [pid=14786|sid=xKLQ]
2020/11/07 20:22:11 ERROR Unable to load key from datapool; __KEY__ =>
/usr/local/etc/openxpki/ca/dzsec/ca-signer-1.pem [pid=14786|sid=xKLQ]
2020/11/07 20:22:11 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__
=> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
Unable to load key from datapool; __KEY__ =>
/usr/local/etc/openxpki/ca/dzsec/ca-signer-1.pem [pid=14786|sid=xKLQ]
2020/11/07 20:22:11 ERROR
I18N_OPENXPKI_CRYPTO_TOKENMANAGER_LOAD_SECRET_WRONG_METHOD; __GROUP__ =>
default, __METHOD__ => EMPTY, __REALM__ => dzsec [pid=14786|sid=xKLQ]
2020/11/07 20:24:40 ERROR
I18N_OPENXPKI_CRYPTO_TOKENMANAGER_LOAD_SECRET_WRONG_METHOD; __GROUP__ =>
default, __METHOD__ => EMPTY, __REALM__ => dzsec [pid=14804|sid=xKLQ]
2020/11/07 20:24:40 ERROR Unable to load key from datapool; __KEY__ =>
/usr/local/etc/openxpki/ca/dzsec/ca-signer-1.pem [pid=14804|sid=xKLQ]
2020/11/07 20:24:40 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__
=> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
Unable to load key from datapool; __KEY__ =>
/usr/local/etc/openxpki/ca/dzsec/ca-signer-1.pem [pid=14804|sid=xKLQ]
2020/11/07 20:24:40 ERROR
I18N_OPENXPKI_CRYPTO_TOKENMANAGER_LOAD_SECRET_WRONG_METHOD; __GROUP__ =>
default, __METHOD__ => EMPTY, __REALM__ => dzsec [pid=14804|sid=xKLQ]
2020/11/07 20:27:24 ERROR
I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER; __HANDLER__ =>
System, __PKI_REALM__ => dzsec [pid=14914|sid=YH2V]
Here's how I tried to set up the system: (EG)
openxpkiadm alias --realm dzsec --token certsign --file
/usr/local/etc/openxpki/ssl/dzsec/ca-one-signer-1.crt --key
/usr/local/etc/openxpki/ssl/dzsec/ca-one-signer-1.pem
which gives an error:
2020/11/07 20:19:07 Initialization failed - message is ERROR
Initialization failed. Stopped at
/usr/local/lib/perl5/site_perl/OpenXPKI/Client/Simple.pm line 310.
The certs end up in the database however.
if I try and add the custom password for the keys using this:
openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys \
--arg key=vault-1 \
--arg encrypt=1 \
--filearg value=/usr/local/etc/openxpki/ca/ca-one-vault-1.pem
I get this:
Error: I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER
Unhandled service message. Stopped at /usr/local/bin/openxpkicli line 355
my realm/crypto.yml is:
cat /usr/local/etc/openxpki/config.d/realm/dzsec/crypto.yaml
#Sample Mockup Config for Token config of a single realm
# The left side are fixed aliases used in the code, the right side
# are aribtrary chosen names, referencing the tokens below.
type:
certsign: ca-signer
datasafe: vault
scep: scep
# The actual token setup, based on current token.xml
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
key: /usr/local/etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem
# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
# Default value for import, recorded in database, can be overriden
secret: default
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
#key: /usr/local/etc/opnexpki/ca/dzsec/ca-one-signer-1.pem
secret: dzsecsec
vault:
inherit: default
key: /usr/local/etc/openxpki/ca/[% ALIAS %].pem
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
key_store: DATAPOOL
key: "[% ALIAS %]"
# Define the secret groups
secret:
dzsecsec:
# this let OpenXPKI use the secret of the same name from
system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional
secrets
# by adding similar blocks with another key
#import: 1
#export: 0
method: literal
value: <my long complex password>
cache: daemon
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
